Comment 1 Jakub Moc (RETIRED) 2005-03-01 03:25:08 UTC

Please, could someone look into this? The guys don´t seem to be willing to file  a bug report, but this makes me really nervous. Unfortunately I cannot provide any more information on this, I just have been reading through the Gentoo Forums.

http://forums.gentoo.org/viewtopic-t-300307.html

Sorry if this is a hoax but this webapp has had a really poor security record recently. :-(

Reproducible: Always
Steps to Reproduce:

Comment 2 Thierry Carrez (RETIRED) 2005-03-01 03:37:20 UTC

The configdir thing was fixed in 6.3-r2 (GLSA 200501-36). My guess is that the guy there either is just thinking he was rooted because the probe shows on his apache logs.

The other guy was probably running a vulnerable phpBB. I commented on the post.

Comment 3 Jakub Moc (RETIRED) 2005-03-01 03:40:38 UTC

Thanks, Koon. Oh yes, phpBB is another bug-infested webapp. :-(

Comment 4 Thierry Carrez (RETIRED) 2005-03-01 03:44:36 UTC

Hmm the guy says he was running 6.3-r2, so we better doublecheck this.

Comment 5 Tavis Ormandy (RETIRED) 2005-03-01 04:16:09 UTC

I've double checked and can confirm the vulnerability that log entry was attempting to exploit is definitely fixed in 6.3-r2..the paramater is stripped of any meta characters.

Comment 6 Thierry Carrez (RETIRED) 2005-03-01 04:58:19 UTC

OK... Someone can reopen if they can show us how the fixed awstats would be vulnerable.