[VIM] AWStats question [CVE 2005-0362 & 2005-0436]
security curmudgeon
jericho at attrition.org
Sun May 1 13:49:42 EDT 2005
CAN-2005-0362 / OSVDB 1000034
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=294488
awstats.pl in AWStats 6.2 allows remote attackers to execute arbitrary
commands via shell metacharacters in the (1) "pluginmode", (2)
"loadplugin", or (3) "noloadplugin" parameters.
CAN-2005-0436 / OSVDB 13832
BUGTRAQ:20050214 AWStats <= 6.4 Multiple vulnerabilities
URL:http://www.securityfocus.com/archive/1/390368
Direct code injection vulnerability in awstats.pl in AWStats 6.3 and 6.4
allows remote attackers to execute portions of Perl code via the
PluginMode parameter.
--
2005-0362 is effectively Feb 11, 2005 and 2005-0436 is Feb 14, 2005. Given
the proximity of the two, and one parameter seems to be the same
(PluginMode / pluginmode), these seem like they should be merged possibly.
First question is how CVE differentiates between "commands via shell
metacharacters" and "direct code injection".
Second question is, are 'PluginMode' and 'pluginmode' the same params, or
is the script case sensitive and these are two different variables?
brian
More information about the VIM
mailing list