LockedAwstats Vulnerability Question

Senior Member
2010/05/09 15:57:08 (permalink)

Awstats Vulnerability Question

One of our customers is trying to meet PCI compliancy for credit card processing and their site is scanned monthly. The latest scan revealed a vulnerability in Awstats:

                  AWStats 'awstats.pl' Path Disclosure

                 AWStats is installed on this system. AWStats can be installed as a
                 standalone package or bundled with a third-party software such as
                 WebGUI Runtime Environment. The installed version is affected by a
                 path disclosure vulnerability. By specifying a non-existent config file to
                 the 'config' parameter in awstats.pl, it may be possible for an attacker
                 to view install path information.
                 Service: Microsoft-IIS/6.0
                 CVE: CVE-2006-3682
                 NVD: CVE-2006-3682
                 Bugtraq: 34159
                 Reference: http://awstats.sourceforge.net/Reference: http://
                 CVSSv2: AV:N/AC:L/Au:N/C:P/I:N/A:N (Base Score:5.00)

                 WebGUI Runtime Environment (WRE) addressed this issue with the
                 release of version 0.9.0. AWStats has also release an updated version.
                 Install the latest version of the software and any relevant patches.

We are running Server 2003 & HC 8 build 7.


1 Reply Related Threads

    Premium Member
    Re:Awstats Vulnerability Question 2010/09/19 11:27:53 (permalink)
    Someone has any comments about it?
    Jump to: