#811 Awstats path Disclosure issue

closed
Chris Larsen
Other (220)
9
2012-10-11
2009-06-22
Manny Redman
No

I have installed version 6.9 on the windows platform to address the path disclosure issue. However, when my site is scanned it is still showing that this issue exists. The security notes show that this issue should have been corrected in this version.

Can anyone suggest a fix to this problem and how to implement it on my install?

Sample of issue:

When you enter http://your_site/path_to/awstats.pl?config=nothing in the address bar of the browser, you get :

Error: Couldn't open config file "awstats.nothing.conf" nor "awstats.conf" after searching in path "C:\Webs\test\cgi-bin,/etc/awstats,/usr/local/etc/awstats,/etc,/etc/opt/awstats": No such file or directory.

I'm trying to get my website PCI compliant and this is reported as an issue that would prevent my website from passing compliance.

Discussion

  • Chris Larsen
    Chris Larsen
    2010-05-03

    Will only display the path in CLI mode or if you edit the AWStats.pl file and set $DEBUGFORCED = 1;

     
  • Chris Larsen
    Chris Larsen
    2010-05-03

    The feature/change or bug fix was added in CVS tree.
    Will be available with next release.