Re: AWstats Path Disclosure Vulnerability

[cwh01 () www78 dixiesys com]

Thing is, it's a MINOR bug.  Since most people install it in the default
/cgi-gin and usually under /awstats, it doesn't give much ammo other then
possibly the userid of the account.  And since a LOT of ppl use something
easy like "admin" or a shortened version of teh domain name like
"domai00", it's not hard to guess the paths.   Besides, a lot of ppl also
have a phpinfo.php file on their sites or servers...that gives you much
more information then this does.

This is nothing more then a minor bug then a real security issue.

> Hi !
>
> If you use this url :
> http://www.server.com/awstats/awstats.pl?config=xxx
>
> You will get the full path on the hard drive of the script "awstats.pl"
> with all sub folders.
> To prevent an attack, this is the kind of information you should hide.
>
> If you search "full path disclosure" on google or on bugtraq you will
> find many security issue.
> It is not a critical vulnerability but we should be aware.
>
> Best regards.
>
> FOURNAUX Nicolas
> -----------------------
> www.cambodiaoutsourcing.com
> www.khmerdev.com
>
> Martin Pitt a écrit :
>
> > Hi!
> >
> > fournaux () khmerdev com [2005-08-26  1:58 -0000]:
> >
> >
> > > Once you have setup this tool, you can get statistics of a website
> > > with this URL :
> > >
> > > http://www.server.com/awstats/awstats.pl?config=xxx
> > >
> > > You replace xxx by the name you gave to the configuration file of
> > > your website (You have one file per website)
> > >
> > > But if xxx is not an existing name, the path will be disclosed to
> > > the user in the resulting error message.
> >
> > I'm afraid I don't understand this properly - You request
> > http://some.url?config=/path/to/nonexistant and the error page
> > displays exactly this path? How can this be a vulnerability? AFAICS
> > this can only determine whether a file exists or not, but this is
> > really picky...
> >
> > Thanks for any clarification,
> >
> > Martin