AWStats Debug Remote Information Disclosure Vulnerability

Bugtraq ID:	12545
Class:	Access Validation Error
CVE:
Remote:	Yes
Local:	No
Published:	Feb 14 2005 12:00AM
Updated:	Feb 14 2005 12:00AM
Credit:	GHC <[email protected]> is credited with the discovery of this issue.
Vulnerable:	AWStats AWStats 6.3 AWStats AWStats 6.2 AWStats AWStats 6.1 AWStats AWStats 6.0 AWStats AWStats 5.9 AWStats AWStats 5.8 AWStats AWStats 5.7 AWStats AWStats 5.6 AWStats AWStats 5.5 AWStats AWStats 5.4 AWStats AWStats 5.3 AWStats AWStats 5.2 AWStats AWStats 5.1 AWStats AWStats 5.0 AWStats AWStats 6.5.0 build 1.857
Not Vulnerable:

AWStats Debug Remote Information Disclosure Vulnerability

A remote information disclosure vulnerability reportedly affects AWStats. This issue is due to a failure of the application to properly validate access to sensitive data.

An attacker may leverage this issue to gain access to potentially sensitive data, possibly facilitating further attacks against an affected computer.

AWStats Debug Remote Information Disclosure Vulnerability

No exploit is required to leverage this issue. The following proof of concepts have been provided:

http://www.example.com/cgi-bin/awstats-6.4/awstats.pl?debug=1
http://www.example.com/cgi-bin/awstats-6.4/awstats.pl?debug=2

AWStats Debug Remote Information Disclosure Vulnerability

Solution:
Currently we are not aware of any vendor-supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: [email protected] <mailto:[email protected]>.

AWStats Debug Remote Information Disclosure Vulnerability

References:

• AWStats Homepage (AWStats)
  
• AWStats <= 6.4 Multiple vulnerabilities (GHC )