scivilla.blogg.se

Cgi bin awstats pl install#
Cgi bin awstats pl update#
Cgi bin awstats pl full#

I think the script needs to create files in that directory but the directory /var/lib/awstats/ is not writable by the apache user.

Cgi bin awstats pl update#

But when I clicked the “update” link to update the statistics, it said ” cannot write to /var/lib/awstats/xxxx.tmp”.

The awstats statistic page showed up in my browser. So I changed “Require local” to “Require all granted”. Now what we can do is allowing more visitors to access the awstats script. Without this, nobody can access resources outside the document directory of your website. I guess “Require local” means only allowing access by visitors from local server(the server hosting the website and the awstats). You can only guess what the mysterious instructions are used for. I’ve not found the document about “Require local” even on Apache’s office website( this page and this page). However, that directory is restricted to access only from local by the section. usr / share / awstats / wwwroot / cgi - bin / awstats. When I visited the awstats webpage( ), it displayed an error message in the browser: You can get the detailed steps to create a conf file for your website in that post. I created a conf file for my website and edited some settings (LogFile, AllowToUpdateStatsFromBrowser ) in that conf file. The remaining configuration process is the same as talked in that post.

I do not know the difference between /usr/share and /usr/local so I just typed “Y” to confirm the installation. But you will be reminded by yum that awstats will be installed to non-standard location: /usr/share/ instead of the standard location /usr/local.

Cgi bin awstats pl install#

You can use yum to install awstats and yum will install all dependent packages automatically for you. Today, I tried to install awstats on CentOS7 and the process became a little different.įirst, you do not need to download and install the awstats rpm package any longer.

That post actually teaches you to install awstats on CentOS 6, where you need to download the awstats package from sourceforge and install it and its dependent software manually. MitigationI wrote a post on installing awstats on CentOS. In AWStats cgibin/config accepts an absolute pathname, eventhough it was intended to only read a file in the /etc/awstats/nf format. A remote attacker can send a specially crafted HTTP request and read arbitrary files on the system. The vulnerability exists due to input validation error when processing directory traversal sequences. We are not aware of malware exploiting this vulnerability. Is there known malware, which exploits this vulnerability? This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Cgi bin awstats pl full#

Full software list in CPE2.3 format available after registration.Ĭan this vulnerability be exploited remotely?.

MitigationĬybersecurity Help is currently unaware of any official solution to address this vulnerability. The vulnerability exists due to input validation error when processing directory traversal sequences in the "config" parameter in the cgi-bin/ script. The vulnerability allows a remote attacker to perform directory traversal attacks. CVSSv3.1: 6.9 ĬWE-ID: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')