[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <16068.156.77.108.71.1126820414.squirrel@www.capitalwebhost.net>
Date: Thu, 15 Sep 2005 16:40:14 -0500 (CDT)
From: cwh01@...78.dixiesys.com
To: bugtraq@...urityfocus.com
Subject: Re: AWstats Path Disclosure Vulnerability
Thing is, it's a MINOR bug. Since most people install it in the default
/cgi-gin and usually under /awstats, it doesn't give much ammo other then
possibly the userid of the account. And since a LOT of ppl use something
easy like "admin" or a shortened version of teh domain name like
"domai00", it's not hard to guess the paths. Besides, a lot of ppl also
have a phpinfo.php file on their sites or servers...that gives you much
more information then this does.
This is nothing more then a minor bug then a real security issue.
> Hi !
>
> If you use this url :
> http://www.server.com/awstats/awstats.pl?config=xxx
>
> You will get the full path on the hard drive of the script "awstats.pl"
> with all sub folders.
> To prevent an attack, this is the kind of information you should hide.
>
> If you search "full path disclosure" on google or on bugtraq you will
> find many security issue.
> It is not a critical vulnerability but we should be aware.
>
> Best regards.
>
> FOURNAUX Nicolas
> -----------------------
> www.cambodiaoutsourcing.com
> www.khmerdev.com
>
> Martin Pitt a écrit :
>
>>Hi!
>>
>>fournaux@...erdev.com [2005-08-26 1:58 -0000]:
>>
>>
>>>Once you have setup this tool, you can get statistics of a website
>>>with this URL :
>>>
>>>http://www.server.com/awstats/awstats.pl?config=xxx
>>>
>>>You replace xxx by the name you gave to the configuration file of
>>>your website (You have one file per website)
>>>
>>>But if xxx is not an existing name, the path will be disclosed to
>>>the user in the resulting error message.
>>>
>>>
>>
>>I'm afraid I don't understand this properly - You request
>>http://some.url?config=/path/to/nonexistant and the error page
>>displays exactly this path? How can this be a vulnerability? AFAICS
>>this can only determine whether a file exists or not, but this is
>>really picky...
>>
>>Thanks for any clarification,
>>
>>Martin
>>
>>
>
Powered by blists - more mailing lists