oss-sec mailing list archives
Re: Path traversal flaws in awstats 7.6 and earlier.
From: Stefan Pietsch <s.pietsch () e2security de>
Date: Sun, 7 Jan 2018 04:32:32 +0100
On 06.01.2018 10:33, Hanno Böck wrote:
The cPanel Security Team discovered two path traversal flaws in awstats that could be leveraged for unauthenticated remote code execution.On https://awstats.sourceforge.io/#DOWNLOAD the latest version is still 7.6 On the github repo you linked the latest version is 7.5.
The awstats GitHub page has version 7.6: https://github.com/eldy/awstats/tags
Are you in contact with the developers? It's not exactly ideal that there's a publicly known remote code execution and there is no new release containing the fix.
By not releasing a new version of awstats it gets unnecessarily difficult to track the fix in distributions. The author has proven that he is not able to handle security issues well when I contacted him last year. (https://github.com/Dolibarr/dolibarr/issues/6504) On the project's security page there is no update so far: http://www.awstats.org/awstats_security_news.php Regards, Stefan
Current thread:
- Re: Path traversal flaws in awstats 7.6 and earlier. Hanno Böck (Jan 06)
- Re: Path traversal flaws in awstats 7.6 and earlier. John Lightsey (Jan 06)
- Re: Path traversal flaws in awstats 7.6 and earlier. Stefan Pietsch (Jan 07)