Comment 17 for bug 12019

  2005/02/03, wiki.debian.org.tw was hax0red by aneurysm.inc who
is a cracker from Brasil. He successful changed several web pages
on the host, but failed to bind a shell or install a trojan. He
filed a defacement on zone-h.org.
http://www.zone-h.org/en/defacements/view/id=2038714/

  I notified that Joey did a NUM with patch from Ubuntu 20 days ago,
but the patch did not addressed all vulnerabilities. There is
another input validation vulnerability. The "pluginmode" parameter
can be exploited in a call to the perl routine eval() which allows
attackers to execute arbitrary commands.

You can see on line 5660-5666 of awstats.pl 6.2. An attacker can prefix
arbitrary commands with the ':system(cmd)' or ';system(cmd)' through a
URI parameter. The attachment is my quick and dirty workaround patch.

  5659 # AWStats output is replaced by a plugin output
  5660 if ($PluginMode) {
  5661 my $function="BuildFullHTMLOutput_$PluginMode()";
  5662 eval("$function");
  5663 if ($? || $@) { error("$@"); }
  5664 &html_end(0);
  5665 exit 0;
  5666 }

Please
  * announce a DSA.
  * upgrade to awstats 6.3 ASAP.

Best Regards
-Rex