Re: AWstats Path Disclosure Vulnerability Sep 15 2005 12:58AM
Fournaux (fournaux khmerdev com) (2 replies)
Re: AWstats Path Disclosure Vulnerability Sep 15 2005 09:40PM
cwh01 www78 dixiesys com
Thing is, it's a MINOR bug. Since most people install it in the default
/cgi-gin and usually under /awstats, it doesn't give much ammo other then
possibly the userid of the account. And since a LOT of ppl use something
easy like "admin" or a shortened version of teh domain name like
"domai00", it's not hard to guess the paths. Besides, a lot of ppl also
have a phpinfo.php file on their sites or servers...that gives you much
more information then this does.

This is nothing more then a minor bug then a real security issue.

> Hi !
> If you use this url :
> http://www.server.com/awstats/awstats.pl?config=xxx
> You will get the full path on the hard drive of the script "awstats.pl"
> with all sub folders.
> To prevent an attack, this is the kind of information you should hide.
> If you search "full path disclosure" on google or on bugtraq you will
> find many security issue.
> It is not a critical vulnerability but we should be aware.
> Best regards.
> FOURNAUX Nicolas
> -----------------------
> www.cambodiaoutsourcing.com
> www.khmerdev.com
> Martin Pitt a écrit :
>>fournaux (at) khmerdev (dot) com [email concealed] [2005-08-26 1:58 -0000]:
>>>Once you have setup this tool, you can get statistics of a website
>>>with this URL :
>>>You replace xxx by the name you gave to the configuration file of
>>>your website (You have one file per website)
>>>But if xxx is not an existing name, the path will be disclosed to
>>>the user in the resulting error message.
>>I'm afraid I don't understand this properly - You request
>>http://some.url?config=/path/to/nonexistant and the error page
>>displays exactly this path? How can this be a vulnerability? AFAICS
>>this can only determine whether a file exists or not, but this is
>>really picky...
>>Thanks for any clarification,

[ reply ]
Re: AWstats Path Disclosure Vulnerability Sep 15 2005 08:01AM
Martin Pitt (martin pitt canonical com)


Privacy Statement
Copyright 2010, SecurityFocus