Re:Awstats Vulnerability Question (crnunez)

Sun, 19 Sep 2010 11:27:53 GMT

Someone has any comments about it?

Awstats Vulnerability Question (oakleeman)

Sun, 09 May 2010 15:57:08 GMT

One of our customers is trying to meet PCI compliancy for credit card processing and their site is scanned monthly. The latest scan revealed a vulnerability in Awstats:

                  AWStats 'awstats.pl' Path Disclosure

                 AWStats is installed on this system. AWStats can be installed as a
                 standalone package or bundled with a third-party software such as
                 WebGUI Runtime Environment. The installed version is affected by a
                 path disclosure vulnerability. By specifying a non-existent config file to
                 the 'config' parameter in awstats.pl, it may be possible for an attacker
                 to view install path information.
                 Service: Microsoft-IIS/6.0
                 CVE: CVE-2006-3682
                 NVD: CVE-2006-3682
                 Bugtraq: 34159
                 Reference: http://awstats.sourceforge.net/Reference: http://
                 www.plainblack.com/bugs/tracker/8964
                 CVSSv2: AV:N/AC:L/Au:N/C:P/I:N/A:N (Base Score:5.00)

                 WebGUI Runtime Environment (WRE) addressed this issue with the
                 release of version 0.9.0. AWStats has also release an updated version.
                 Install the latest version of the software and any relevant patches.

We are running Server 2003 & HC 8 build 7.