Hi,
On Thu, 26 Mar 2026 08:30:51 +0100 Christian Marillat
<[email protected]> wrote:
On 25 mars 2026 12:04, "Chris Lamb" <[email protected]> wrote:
> Christian, let me know if you would like me to prepare an update
> for unstable. I note that you recently took over the package, but
> I can't quite work out where the canonical Git repo is now; the
> one at debian/awstats on Salsa is outdated.
I'm not sure, but from the pdf file, the injection is only possible if
the awstats.conf is modified with a special string.
If someone can modify the configuration file then the machine is
probably already compromised.
,----
| Requirements:
|
| To perform this exploit, an attacker must find a way to create or modify the
| “awstats.confˮ file with malicious content as well as the ability to
| create files with arbitrary names on the system
`----
Later in the same PDF file:
The above reverse shell scenario presents a potential jailshell escape scenario
in the cPanel environment that uses AWStats as an integrated 3rd party solution.
So a web panel user, when allowed to modify DNSLastUpdateCacheFile,
could execute code on the machine where awstats runs, where he normally
doesn't have shell access.
FTR that's why we fixed this in LTS/ELTS.
(though admittedly this should have gone through unstable first)
Cheers!
Sylvain Beucler
Debian LTS Team
