Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <bc734975-d19a-6198-7a8f-6762924342b0@e2security.de>
Date: Sun, 7 Jan 2018 04:32:32 +0100
From: Stefan Pietsch <s.pietsch@...ecurity.de>
To: oss-security@...ts.openwall.com, Hanno Böck
 <hanno@...eck.de>, John Lightsey <jd@...nel.net>
Subject: Re: Path traversal flaws in awstats 7.6 and earlier.

On 06.01.2018 10:33, Hanno Böck wrote:

>> The cPanel Security Team discovered two path traversal flaws in
>> awstats that could be leveraged for unauthenticated remote code
>> execution.
> 
> On
> https://awstats.sourceforge.io/#DOWNLOAD
> the latest version is still 7.6
> On the github repo you linked the latest version is 7.5.

The awstats GitHub page has version 7.6:
https://github.com/eldy/awstats/tags

> Are you in contact with the developers? It's not exactly ideal that
> there's a publicly known remote code execution and there is no new
> release containing the fix.

By not releasing a new version of awstats it gets unnecessarily
difficult to track the fix in distributions.

The author has proven that he is not able to handle security issues well
when I contacted him last year.
(https://github.com/Dolibarr/dolibarr/issues/6504)

On the project's security page there is no update so far:
http://www.awstats.org/awstats_security_news.php


Regards,
Stefan

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.