CVE-2001-0113

OmniHTTPd 2.07 - Remote Code Execution via statsconfig.pl mostbrowsers Parameter

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2001-0113.

AI-analyzed exploit summary This Perl script exploits two vulnerabilities in OmniHTTPd's statsconfig.pl CGI script: arbitrary file corruption via null-byte injection and command execution via user-supplied input in the 'mostbrowsers' form variable. It demonstrates both file truncation and RCE by injecting malicious Perl code into stats.pl.

Description

statsconfig.pl in OmniHTTPd 2.07 allows remote attackers to execute arbitrary commands via the mostbrowsers parameter, whose value is used as part of a generated Perl script.

Exploits (1)

exploitdb WORKING POC

perlremotewindows

https://www.exploit-db.com/exploits/20557

View Code ZIP pw:eip

This Perl script exploits two vulnerabilities in OmniHTTPd's statsconfig.pl CGI script: arbitrary file corruption via null-byte injection and command execution via user-supplied input in the 'mostbrowsers' form variable. It demonstrates both file truncation and RCE by injecting malicious Perl code into stats.pl.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: OmniHTTPd v2.07 (and possibly older versions)

No auth needed

Prerequisites: Target must have OmniHTTPd with statsconfig.pl installed · Knowledge of the absolute path to the cgi-bin directory for RCE

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 19, 2026 Full analysis →

References (2)

Core 2

Core References

Exploit mailing-list x_refsource_bugtraq

http://archives.neohapsis.com/archives/bugtraq/2001-01/0248.html

Exploit, Patch, Vendor Advisory vdb-entry x_refsource_bid

http://www.securityfocus.com/bid/2211

Scores

EPSS 0.0756

EPSS Percentile 92.0%

Details

Status published

Products (1)

omnicron/omnihttpd 2.0.7

Published Mar 12, 2001

Tracked Since Feb 18, 2026