Mandriva Linux Security Advisory 2011-033 - awstats.cgi in AWStats before 7.0 accepts a configdir parameter in the URL, which allows remote attackers to execute arbitrary commands via a crafted configuration file located on a WebDAV server or NFS server. Directory traversal vulnerability in AWStats before 7.0 allows remote attackers to have an unspecified impact via a crafted LoadPlugin directory. The updated packages have been upgraded to the latest version to address these vulnerabilities.
9e4e32cce97beecc5b78553696c4f168221c75fb1d97782e6b9b984727fb3ed4
Ubuntu Security Notice 1047-1 - It was discovered that AWStats did not correctly filter the LoadPlugin configuration option. A local attacker on a shared system could use this to inject arbitrary code into AWStats.
b9951f473de622dbf38e911df981e0bcf5401099fb393900dcbd09ae4fccdecd