I am trying to get my website PCI Compliant.
After running a security scan from securitymetrics.com I receive the following:
Synopsis : The remote web server contains an application which is affected by a path disclosure issue. Description : AWStats is installed on the remote system. AWStats could be installed as a standalone package or could be bundled or shipped with a third-party software such as WebGUI Runtime Environment. The installed version is affected by a path disclosure vulnerability. By specifying a nonexistent config file to the 'config' parameter in awstats.pl, it may be possible for an attacker to view install path information. See also : http://www.plainblack.com/bugs/tracker/8 964 Solution: AWStats standalone package - Unknown at this time. WebGUI Runtime Environment (WRE) - Upgrade to WRE 0.9.0. Risk Factor: Medium / CVSS Base Score : 5.0 (CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N) BID : 34159 Other references : Secunia:34346
After reading about this issue, I was under the impression that this was corrected in version 6.5 or 6.6. I am currently running version 6.9 on the windows platform and need to get this issue corrected or remove AWSTATS completely.