AWStats 6.1, and other versions before 6.3, allows remote attackers to execute arbitrary commands via shell metacharacters in the configdir parameter to aswtats.pl.
http://www.securityfocus.com/bid/12298
http://www.kb.cert.org/vuls/id/272296
http://secunia.com/advisories/13893/
http://packetstormsecurity.org/0501-exploits/AWStatsVulnAnalysis.pdf