[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#891469: awstats: Path traversal in config parameter if site config is missing.



Hi,

Since awstats is currently unmaintained, can you request a new CVE for this at https://cveform.mitre.org/ ?

This way it'll be properly monitored and taken care of in distros.

Cheers!
Sylvain

On Sun, 25 Feb 2018 21:33:34 +0100 =?utf-8?b?VG9tYcW+IMWgb2xj?= <tomaz.solc@tablix.org> wrote:
Package: awstats
Version: 7.6+dfsg-2
Severity: normal

Dear Maintainer,

the patch for CVE-2017-1000501 seems to have been incomplete. Please see this
report upstream:

https://github.com/eldy/awstats/issues/90

awstats will parse arbitrary files passed in the "config" parameter if the
default /etc/awstats/awstats.conf is not present. Debian package will install
awstats.conf, so a default install does not seem to be vulnerable. However it
is possible to use awstats with separate configs for different sites without
the default awstats.conf (although README.Debian recommends leaving
awstats.conf in place)

I can confirm that the reported issue exists in awstats 7.6+dfsg-2 and
7.6+dfsg-1+deb9u1.

Steps to reproduce (on Stretch)

# apt-get install awstats
# rm /etc/awstats/awstats.conf
# cp /usr/share/doc/awstats/examples/apache.conf /etc/apache2/conf-available/awstats.conf
# a2enconf awstats
# systemctl reload apache2

Visit http://localhost/cgi-bin/awstats.pl?config=/etc/passwd


-- System Information:
Debian Release: 9.3
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.9.0-6-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages awstats depends on:
ii  perl  5.24.1-3+deb9u2

Versions of packages awstats recommends:
ii  libnet-xwhois-perl  0.90-4

Versions of packages awstats suggests:
ii  apache2 [httpd]     2.4.25-3+deb9u3
pn  libgeo-ipfree-perl  <none>
ii  libnet-dns-perl     1.07-1
ii  libnet-ip-perl      1.26-1
ii  liburi-perl         1.71-1

-- Configuration Files:
/etc/awstats/awstats.conf [Errno 2] No such file or directory: '/etc/awstats/awstats.conf'



Reply to: