oss-sec mailing list archives
Re: Path traversal flaws in awstats 7.6 and earlier.
From: John Lightsey <jd () cpanel net>
Date: Sat, 6 Jan 2018 12:25:09 -0600
On 1/6/18 3:33 AM, Hanno Böck wrote:
On Wed, 27 Dec 2017 09:21:41 -0600 John Lightsey <jd () cpanel net> wrote:The cPanel Security Team discovered two path traversal flaws in awstats that could be leveraged for unauthenticated remote code execution.On https://awstats.sourceforge.io/#DOWNLOAD the latest version is still 7.6 On the github repo you linked the latest version is 7.5. Are you in contact with the developers? It's not exactly ideal that there's a publicly known remote code execution and there is no new release containing the fix.
I'd agree with you there. Whenever we report security issues to upstream developers, we have no control over the process they use to resolve the issue. In this case, the upstream author committed a partial fix to a public repo soon after we reported the problem. In my view, whenever an upstream author does this, you just consider the issue to be public whether or not official releases or announcements have been made. I'll pass your feedback along to the upstream author though.
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature
Current thread:
- Re: Path traversal flaws in awstats 7.6 and earlier. Hanno Böck (Jan 06)
- Re: Path traversal flaws in awstats 7.6 and earlier. John Lightsey (Jan 06)
- Re: Path traversal flaws in awstats 7.6 and earlier. Stefan Pietsch (Jan 07)