Please, could someone look into this? The guys don
Please, could someone look into this? The guys don´t seem to be willing to file a bug report, but this makes me really nervous. Unfortunately I cannot provide any more information on this, I just have been reading through the Gentoo Forums. http://forums.gentoo.org/viewtopic-t-300307.html Sorry if this is a hoax but this webapp has had a really poor security record recently. :-( Reproducible: Always Steps to Reproduce:
The configdir thing was fixed in 6.3-r2 (GLSA 200501-36). My guess is that the guy there either is just thinking he was rooted because the probe shows on his apache logs. The other guy was probably running a vulnerable phpBB. I commented on the post.
Thanks, Koon. Oh yes, phpBB is another bug-infested webapp. :-(
Hmm the guy says he was running 6.3-r2, so we better doublecheck this.
I've double checked and can confirm the vulnerability that log entry was attempting to exploit is definitely fixed in 6.3-r2..the paramater is stripped of any meta characters.
OK... Someone can reopen if they can show us how the fixed awstats would be vulnerable.