Charles Fry <[EMAIL PROTECTED]> writes: > In this case, this report doesn't appear to be an actual security > vulnerability. The configuration file needs to be placed in > /etc/awstats, /usr/local/etc/awstats, /etc, or /etc/opt/awstats. This > can not be done without having root access (nor can the current > configuration files be modified without root access). Someone with root > permissions can already execute shell code with broader permissions than > the webserver, so this "attack" seems like a non-issue to me.
Exploit #2: http://www.example.com/cgi-bin/awstats.pl?configdir=/tmp with the attached file being placed in /tmp. Hendrik
awstats.conf
Description: Binary data
