Re: Path traversal flaws in awstats 7.6 and earlier.

[Stefan Pietsch <s.pietsch () e2security de>]

On 06.01.2018 10:33, Hanno Böck wrote:

> > The cPanel Security Team discovered two path traversal flaws in
> > awstats that could be leveraged for unauthenticated remote code
> > execution.
>
> On
> https://awstats.sourceforge.io/#DOWNLOAD
> the latest version is still 7.6
> On the github repo you linked the latest version is 7.5.

The awstats GitHub page has version 7.6:
https://github.com/eldy/awstats/tags

> Are you in contact with the developers? It's not exactly ideal that
> there's a publicly known remote code execution and there is no new
> release containing the fix.

By not releasing a new version of awstats it gets unnecessarily
difficult to track the fix in distributions.

The author has proven that he is not able to handle security issues well
when I contacted him last year.
(https://github.com/Dolibarr/dolibarr/issues/6504)

On the project's security page there is no update so far:
http://www.awstats.org/awstats_security_news.php


Regards,
Stefan