#1747 AWstats is affected by a path disclosure issue

closed
Chris Larsen
None
9
2012-10-11
2009-06-23
Manny Redman
No

I am trying to get my website PCI Compliant.

After running a security scan from securitymetrics.com I receive the following:

Synopsis : The remote web server contains an application which is affected by a path disclosure issue. Description : AWStats is installed on the remote system. AWStats could be installed as a standalone package or could be bundled or shipped with a third-party software such as WebGUI Runtime Environment. The installed version is affected by a path disclosure vulnerability. By specifying a nonexistent config file to the 'config' parameter in awstats.pl, it may be possible for an attacker to view install path information. See also : http://www.plainblack.com/bugs/tracker/8 964 Solution: AWStats standalone package - Unknown at this time. WebGUI Runtime Environment (WRE) - Upgrade to WRE 0.9.0. Risk Factor: Medium / CVSS Base Score : 5.0 (CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N) BID : 34159 Other references : Secunia:34346

After reading about this issue, I was under the impression that this was corrected in version 6.5 or 6.6. I am currently running version 6.9 on the windows platform and need to get this issue corrected or remove AWSTATS completely.

Please Advise..

Discussion

  • Me too. Awstats 6.9 build 1.925 on Fedora Core 10 has this path disclosure problem, that SecurityMetrics thinks is a reasonably serious issue.

    The path disclosure is easy to fix:

    "Couldn't open config file \"$PROG.$SiteConfig.conf\" nor \"$PROG.conf\" after searching in path \""

    . join( ',', @PossibleConfigDir )

    . "\": $!" );

    "Couldn't open config file \"$PROG.$SiteConfig.conf\" nor \"$PROG.conf\""
    . "\": $!" );
    }

    I hope that SecurityMetrics' scanner is happy with my fix.

     
  • Chris Larsen
    Chris Larsen
    2010-05-07

    Your problem looks like a bug or missing feature that have been
    fixed in a more recent AWStats version (might be last beta).