<<< Date Index >>>     <<< Thread Index >>>

Re: AWstats Path Disclosure Vulnerability



Thing is, it's a MINOR bug.  Since most people install it in the default
/cgi-gin and usually under /awstats, it doesn't give much ammo other then
possibly the userid of the account.  And since a LOT of ppl use something
easy like "admin" or a shortened version of teh domain name like
"domai00", it's not hard to guess the paths.   Besides, a lot of ppl also
have a phpinfo.php file on their sites or servers...that gives you much
more information then this does.

This is nothing more then a minor bug then a real security issue.

> Hi !
>
> If you use this url :
> http://www.server.com/awstats/awstats.pl?config=xxx
>
> You will get the full path on the hard drive of the script "awstats.pl"
> with all sub folders.
> To prevent an attack, this is the kind of information you should hide.
>
> If you search "full path disclosure" on google or on bugtraq you will
> find many security issue.
> It is not a critical vulnerability but we should be aware.
>
> Best regards.
>
> FOURNAUX Nicolas
> -----------------------
> www.cambodiaoutsourcing.com
> www.khmerdev.com
>
> Martin Pitt a écrit :
>
>>Hi!
>>
>>fournaux@xxxxxxxxxxxx [2005-08-26  1:58 -0000]:
>>
>>
>>>Once you have setup this tool, you can get statistics of a website
>>>with this URL :
>>>
>>>http://www.server.com/awstats/awstats.pl?config=xxx
>>>
>>>You replace xxx by the name you gave to the configuration file of
>>>your website (You have one file per website)
>>>
>>>But if xxx is not an existing name, the path will be disclosed to
>>>the user in the resulting error message.
>>>
>>>
>>
>>I'm afraid I don't understand this properly - You request
>>http://some.url?config=/path/to/nonexistant and the error page
>>displays exactly this path? How can this be a vulnerability? AFAICS
>>this can only determine whether a file exists or not, but this is
>>really picky...
>>
>>Thanks for any clarification,
>>
>>Martin
>>
>>
>