oss-sec mailing list archives

Re: Path traversal flaws in awstats 7.6 and earlier.

From: Hanno Böck <hanno () hboeck de>
Date: Sat, 6 Jan 2018 10:33:33 +0100

Hi,

On Wed, 27 Dec 2017 09:21:41 -0600
John Lightsey <jd () cpanel net> wrote:

The cPanel Security Team discovered two path traversal flaws in
awstats that could be leveraged for unauthenticated remote code
execution.


On
https://awstats.sourceforge.io/#DOWNLOAD
the latest version is still 7.6
On the github repo you linked the latest version is 7.5.

Are you in contact with the developers? It's not exactly ideal that
there's a publicly known remote code execution and there is no new
release containing the fix.

-- 
Hanno Böck
https://hboeck.de/

mail/jabber: hanno () hboeck de
GPG: FE73757FA60E4E21B937579FA5880072BBB51E42

Current thread:

Re: Path traversal flaws in awstats 7.6 and earlier. Hanno Böck (Jan 06)
- Re: Path traversal flaws in awstats 7.6 and earlier. John Lightsey (Jan 06)
- Re: Path traversal flaws in awstats 7.6 and earlier. Stefan Pietsch (Jan 07)