Re: AWstats Path Disclosure Vulnerability

To: Fournaux <fournaux@xxxxxxxxxxxx>, bugtraq@xxxxxxxxxxxxxxxxx
Subject: Re: AWstats Path Disclosure Vulnerability
From: Martin Pitt <martin.pitt@xxxxxxxxxxxxx>
Date: Thu, 15 Sep 2005 10:01:23 +0200
In-reply-to: <4328C733.6070301@xxxxxxxxxxxx>
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
References: <20050826015829.29988.qmail@xxxxxxxxxxxxxxxxx> <20050914093058.GG8322@xxxxxxxxx> <4328C733.6070301@xxxxxxxxxxxx>
User-agent: Mutt/1.5.9i

Hi Nicolas!

Fournaux [2005-09-15  2:58 +0200]:
> If you use this url :
> http://www.server.com/awstats/awstats.pl?config=xxx
> 
> You will get the full path on the hard drive of the script "awstats.pl" 
> with all sub folders.

Ah, I see; I thought you meant the path of the configuration file.

Well, that makes it even less of a problem for distributions since the
path of program files of installed packages is common knowledge
anyway.

It might be a problem in custom installations, though.

Thanks for the clarification,

Martin
-- 
Martin Pitt              http://www.piware.de
Ubuntu Developer   http://www.ubuntulinux.org
Debian Developer        http://www.debian.org

Attachment: signature.asc
Description: Digital signature

References:
- AWstats Path Disclosure Vulnerability
  - From: fournaux
- Re: AWstats Path Disclosure Vulnerability
  - From: Fournaux

Prev by Date: PTL Advisory 050825 - HP LaserJet Network Username and Information Enumeration
Next by Date: [FLSA-2005:160202] Updated mozilla packages fix security issues
Previous by thread: Re: AWstats Path Disclosure Vulnerability
Next by thread: [security bulletin] SSRT051023 rev.0 - HP Openview Network Node Manager (OV NNM) Remote Unauthorized Access
Index(es):
- Date
- Thread