[VIM] AWStats question [CVE 2005-0362 & 2005-0436]

security curmudgeon jericho at attrition.org
Sun May 1 13:49:42 EDT 2005

CAN-2005-0362 / OSVDB 1000034

awstats.pl in AWStats 6.2 allows remote attackers to execute arbitrary 
commands via shell metacharacters in the (1) "pluginmode", (2) 
"loadplugin", or (3) "noloadplugin" parameters.

CAN-2005-0436 / OSVDB 13832
BUGTRAQ:20050214 AWStats <= 6.4 Multiple vulnerabilities

Direct code injection vulnerability in awstats.pl in AWStats 6.3 and 6.4 
allows remote attackers to execute portions of Perl code via the 
PluginMode parameter.


2005-0362 is effectively Feb 11, 2005 and 2005-0436 is Feb 14, 2005. Given 
the proximity of the two, and one parameter seems to be the same 
(PluginMode / pluginmode), these seem like they should be merged possibly.

First question is how CVE differentiates between "commands via shell 
metacharacters" and "direct code injection".

Second question is, are 'PluginMode' and 'pluginmode' the same params, or 
is the script case sensitive and these are two different variables?


More information about the VIM mailing list