Join us now!

Username
Password
Verification
	Stay logged in

Forgot Your Password? Forgot your Username? Haven't received registration validation E-mail?

User Control Panel Log out

Forums
Posts

Latest Posts

Active Posts

Recently Visited

Search Results

View More
Blog

Recent Blog Posts

View More
Photos

Recent Photos

My Favorites

View More Photo Galleries
PMs

Unread PMs

Inbox

Send New PM View More
Page Extras
Menu
- Forum Themes

Mark Thread UnreadFlat Reading Mode ❐

LockedAwstats Vulnerability Question

Author Post Essentials Only Full Version
oakleeman Senior Member 2010/05/09 15:57:08 (permalink) Awstats Vulnerability Question One of our customers is trying to meet PCI compliancy for credit card processing and their site is scanned monthly. The latest scan revealed a vulnerability in Awstats: AWStats 'awstats.pl' Path Disclosure AWStats is installed on this system. AWStats can be installed as a standalone package or bundled with a third-party software such as WebGUI Runtime Environment. The installed version is affected by a path disclosure vulnerability. By specifying a non-existent config file to the 'config' parameter in awstats.pl, it may be possible for an attacker to view install path information. Service: Microsoft-IIS/6.0 CVE: CVE-2006-3682 NVD: CVE-2006-3682 Bugtraq: 34159 Reference: http://awstats.sourceforge.net/Reference: http:// www.plainblack.com/bugs/tracker/8964 CVSSv2: AV:N/AC:L/Au:N/C:P/I:N/A:N (Base Score:5.00) WebGUI Runtime Environment (WRE) addressed this issue with the release of version 0.9.0. AWStats has also release an updated version. Install the latest version of the software and any relevant patches. We are running Server 2003 & HC 8 build 7. #1 1 Reply Related Threads
crnunez Premium Member Re:Awstats Vulnerability Question 2010/09/19 11:27:53 (permalink) Someone has any comments about it? #2

Author

Post

Essentials Only Full Version

oakleeman

Senior Member

2010/05/09 15:57:08 (permalink)

Awstats Vulnerability Question

One of our customers is trying to meet PCI compliancy for credit card processing and their site is scanned monthly. The latest scan revealed a vulnerability in Awstats:

                  AWStats 'awstats.pl' Path Disclosure

                 AWStats is installed on this system. AWStats can be installed as a
                 standalone package or bundled with a third-party software such as
                 WebGUI Runtime Environment. The installed version is affected by a
                 path disclosure vulnerability. By specifying a non-existent config file to
                 the 'config' parameter in awstats.pl, it may be possible for an attacker
                 to view install path information.
                 Service: Microsoft-IIS/6.0
                 CVE: CVE-2006-3682
                 NVD: CVE-2006-3682
                 Bugtraq: 34159
                 Reference: http://awstats.sourceforge.net/Reference: http://
                 www.plainblack.com/bugs/tracker/8964
                 CVSSv2: AV:N/AC:L/Au:N/C:P/I:N/A:N (Base Score:5.00)

                 WebGUI Runtime Environment (WRE) addressed this issue with the
                 release of version 0.9.0. AWStats has also release an updated version.
                 Install the latest version of the software and any relevant patches.

We are running Server 2003 & HC 8 build 7.

1 Reply Related Threads

crnunez

Premium Member

Re:Awstats Vulnerability Question 2010/09/19 11:27:53 (permalink)

Someone has any comments about it?

Jump to: