Thing is, it's a MINOR bug. Since most people install it in the default /cgi-gin and usually under /awstats, it doesn't give much ammo other then possibly the userid of the account. And since a LOT of ppl use something easy like "admin" or a shortened version of teh domain name like "domai00", it's not hard to guess the paths. Besides, a lot of ppl also have a phpinfo.php file on their sites or servers...that gives you much more information then this does. This is nothing more then a minor bug then a real security issue. > Hi ! > > If you use this url : > http://www.server.com/awstats/awstats.pl?config=xxx > > You will get the full path on the hard drive of the script "awstats.pl" > with all sub folders. > To prevent an attack, this is the kind of information you should hide. > > If you search "full path disclosure" on google or on bugtraq you will > find many security issue. > It is not a critical vulnerability but we should be aware. > > Best regards. > > FOURNAUX Nicolas > ----------------------- > www.cambodiaoutsourcing.com > www.khmerdev.com > > Martin Pitt a écrit : > >>Hi! >> >>fournaux@xxxxxxxxxxxx [2005-08-26 1:58 -0000]: >> >> >>>Once you have setup this tool, you can get statistics of a website >>>with this URL : >>> >>>http://www.server.com/awstats/awstats.pl?config=xxx >>> >>>You replace xxx by the name you gave to the configuration file of >>>your website (You have one file per website) >>> >>>But if xxx is not an existing name, the path will be disclosed to >>>the user in the resulting error message. >>> >>> >> >>I'm afraid I don't understand this properly - You request >>http://some.url?config=/path/to/nonexistant and the error page >>displays exactly this path? How can this be a vulnerability? AFAICS >>this can only determine whether a file exists or not, but this is >>really picky... >> >>Thanks for any clarification, >> >>Martin >> >> >
