lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Thu, 15 Sep 2005 16:40:14 -0500 (CDT)
From: cwh01@...78.dixiesys.com
To: bugtraq@...urityfocus.com
Subject: Re: AWstats Path Disclosure Vulnerability


Thing is, it's a MINOR bug.  Since most people install it in the default
/cgi-gin and usually under /awstats, it doesn't give much ammo other then
possibly the userid of the account.  And since a LOT of ppl use something
easy like "admin" or a shortened version of teh domain name like
"domai00", it's not hard to guess the paths.   Besides, a lot of ppl also
have a phpinfo.php file on their sites or servers...that gives you much
more information then this does.

This is nothing more then a minor bug then a real security issue.

> Hi !
>
> If you use this url :
> http://www.server.com/awstats/awstats.pl?config=xxx
>
> You will get the full path on the hard drive of the script "awstats.pl"
> with all sub folders.
> To prevent an attack, this is the kind of information you should hide.
>
> If you search "full path disclosure" on google or on bugtraq you will
> find many security issue.
> It is not a critical vulnerability but we should be aware.
>
> Best regards.
>
> FOURNAUX Nicolas
> -----------------------
> www.cambodiaoutsourcing.com
> www.khmerdev.com
>
> Martin Pitt a écrit :
>
>>Hi!
>>
>>fournaux@...erdev.com [2005-08-26  1:58 -0000]:
>>
>>
>>>Once you have setup this tool, you can get statistics of a website
>>>with this URL :
>>>
>>>http://www.server.com/awstats/awstats.pl?config=xxx
>>>
>>>You replace xxx by the name you gave to the configuration file of
>>>your website (You have one file per website)
>>>
>>>But if xxx is not an existing name, the path will be disclosed to
>>>the user in the resulting error message.
>>>
>>>
>>
>>I'm afraid I don't understand this properly - You request
>>http://some.url?config=/path/to/nonexistant and the error page
>>displays exactly this path? How can this be a vulnerability? AFAICS
>>this can only determine whether a file exists or not, but this is
>>really picky...
>>
>>Thanks for any clarification,
>>
>>Martin
>>
>>
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ