Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Sun, 7 Jan 2018 04:32:32 +0100
From: Stefan Pietsch <s.pietsch@...ecurity.de>
To: oss-security@...ts.openwall.com, Hanno Böck
 <hanno@...eck.de>, John Lightsey <jd@...nel.net>
Subject: Re: Path traversal flaws in awstats 7.6 and earlier.

On 06.01.2018 10:33, Hanno Böck wrote:

>> The cPanel Security Team discovered two path traversal flaws in
>> awstats that could be leveraged for unauthenticated remote code
>> execution.
> 
> On
> https://awstats.sourceforge.io/#DOWNLOAD
> the latest version is still 7.6
> On the github repo you linked the latest version is 7.5.

The awstats GitHub page has version 7.6:
https://github.com/eldy/awstats/tags

> Are you in contact with the developers? It's not exactly ideal that
> there's a publicly known remote code execution and there is no new
> release containing the fix.

By not releasing a new version of awstats it gets unnecessarily
difficult to track the fix in distributions.

The author has proven that he is not able to handle security issues well
when I contacted him last year.
(https://github.com/Dolibarr/dolibarr/issues/6504)

On the project's security page there is no update so far:
http://www.awstats.org/awstats_security_news.php


Regards,
Stefan

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ