awstats.pl in AWStats 4.0 and 6.2 allows remote attackers to execute arbitrary commands via shell metacharacters in the config parameter.Referenceshttp://www.debian.org/security/2005/dsa-682http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=294488
