Package: awstats Version: 7.6+dfsg-2 Severity: normal Dear Maintainer,
the patch for CVE-2017-1000501 seems to have been incomplete. Please see this report upstream: https://github.com/eldy/awstats/issues/90 awstats will parse arbitrary files passed in the "config" parameter if the default /etc/awstats/awstats.conf is not present. Debian package will install awstats.conf, so a default install does not seem to be vulnerable. However it is possible to use awstats with separate configs for different sites without the default awstats.conf (although README.Debian recommends leaving awstats.conf in place) I can confirm that the reported issue exists in awstats 7.6+dfsg-2 and 7.6+dfsg-1+deb9u1. Steps to reproduce (on Stretch) # apt-get install awstats # rm /etc/awstats/awstats.conf # cp /usr/share/doc/awstats/examples/apache.conf /etc/apache2/conf-available/awstats.conf # a2enconf awstats # systemctl reload apache2 Visit http://localhost/cgi-bin/awstats.pl?config=/etc/passwd -- System Information: Debian Release: 9.3 APT prefers stable APT policy: (500, 'stable') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.9.0-6-amd64 (SMP w/4 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages awstats depends on: ii perl 5.24.1-3+deb9u2 Versions of packages awstats recommends: ii libnet-xwhois-perl 0.90-4 Versions of packages awstats suggests: ii apache2 [httpd] 2.4.25-3+deb9u3 pn libgeo-ipfree-perl <none> ii libnet-dns-perl 1.07-1 ii libnet-ip-perl 1.26-1 ii liburi-perl 1.71-1 -- Configuration Files: /etc/awstats/awstats.conf [Errno 2] No such file or directory: '/etc/awstats/awstats.conf' -- no debconf information
