Awstats Vulnerability Question
One of our customers is trying to meet PCI compliancy for credit card processing and their site is scanned monthly. The latest scan revealed a vulnerability in Awstats:
AWStats 'awstats.pl' Path Disclosure
AWStats is installed on this system. AWStats can be installed as a
standalone package or bundled with a third-party software such as
WebGUI Runtime Environment. The installed version is affected by a
path disclosure vulnerability. By specifying a non-existent config file to
the 'config' parameter in awstats.pl, it may be possible for an attacker
to view install path information.
CVSSv2: AV:N/AC:L/Au:N/C:P/I:N/A:N (Base Score:5.00)
WebGUI Runtime Environment (WRE) addressed this issue with the
release of version 0.9.0. AWStats has also release an updated version.
Install the latest version of the software and any relevant patches.
We are running Server 2003 & HC 8 build 7.