Full Disclosure mailing list archives

Re: New awstats.pl vulnerability?

From: Grandma Eubanks <tborland1 () gmail com>
Date: Mon, 12 Dec 2011 20:02:53 -0600

Hello,

It certainly happens. It's very random who scanners decide to hit. You may
have JUST been crawled and passed around several lists as possibilities. To
put some perspective on what you're seeing, the company I work for has
about 3k clients and within the past hour (just checked now), we got abut
5,122 attempts for this one vulnerability in our environment.

On Mon, Dec 12, 2011 at 6:30 PM, Lamar Spells <lamar.spells () gmail com>wrote:

For the past several days, I have been seeing thousands of requests
looking for awstats.pl like this one:

GET /awstats/awstats.pl ? configdir=|echo;echo YYYAAZ;uname;id;echo
YYY;echo|

I am dropping these requests due to previous (and very old) issues
with awstats (see CVE-2006-3682).

But this leaves me wondering if there is a new vuln lurking here somewhere.

Anyone else seeing the same thing?

Regards,

Lamar Spells

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Current thread:

New awstats.pl vulnerability? Lamar Spells (Dec 12)
- Re: New awstats.pl vulnerability? Grandma Eubanks (Dec 12)
- Re: New awstats.pl vulnerability? Bruce Ediger (Dec 12)
  - Re: New awstats.pl vulnerability? Nikolay Kichukov (Dec 12)
    - Re: New awstats.pl vulnerability? Lamar Spells (Dec 13)
    - Re: New awstats.pl vulnerability? Lamar Spells (Dec 16)
    - Re: New awstats.pl vulnerability? Lamar Spells (Dec 22)
    - Re: New awstats.pl vulnerability? james (Dec 22)
    - Re: New awstats.pl vulnerability? xD 0x41 (Dec 23)