homepage Welcome to WebmasterWorld Guest from 107.21.187.131
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Pubcon Platinum Sponsor 2014
Home / Forums Index / WebmasterWorld / Website Analytics - Tracking and Logging
Forum Library, Charter, Moderators: Receptional & mademetop

Website Analytics - Tracking and Logging Forum

    
security hole in Awstats
affects version < 6.3
kpaul




msg:890945
 11:07 pm on Feb 2, 2005 (gmt 0)
http://www.internetnews.com/security/article.php/3467571

[quote]The exploit is known as the "AWStats 'configdir' Remote Command Execution Exploit" and was publicly disclosed on January 17th, by security firm iDefense. According to the iDefense advisory, remote exploitation of an input validation vulnerability in AWStats allows attackers to execute arbitrary commands under the privileges of the Web server. Once exploited, the remote attacker can execute arbitrary commands, as evidenced by the defacement perpetrated by the hacker group.[/quote]

 

kpaul




msg:890946
 11:17 pm on Feb 2, 2005 (gmt 0)

seems it's only if you use the CGI version which can be updated from the web...

from awstats site:

Warning, a security hole was recently found in AWStats versions from 5.0 to 6.2 when AWStats is used as a CGI: A remote user can execute arbitrary commands on your server using permissions of your web server user (in most cases user "nobody").
If you use AWStats with another version or with option AllowToUpdateStatsFromBrowser to 0, you are safe. If not, it is highly recommanded to update to 6.3 version that fix this security hole.

wkitty42




msg:890947
 11:42 pm on Feb 2, 2005 (gmt 0)

FWIW: if more ignorant folk would use proper .htaccess blocking to protect their sites, things like this would not be able to happen...

[the astute will note that i used the word "ignorant" instead of "stupid" or some similar derrogative... yes, i'm using it is the manner of "lack of knowledge"... this (ignorance) is far too common a problem and folk really shold learn /how/ to work a toaster before putting in bread and expecting to get toast out :(]

i'd rather be ignorant than stupid ;)

Jackal




msg:890948
 7:24 am on Feb 14, 2005 (gmt 0)

WKitty42,

OK, so you say the astute should do what you recommend. However, you failed to tell those who are ignorant like me exactly how to go about doing this! I am new to all of this stuff and trying to learn from those who are experienced and I would appreciate it if you were to tell me how to correctly configure .ht and other related things. I would also appreciate advice and information from others. Thank you all in advance. :)

Jackal

Global Options:
 top home search open messages active posts  
 

Home / Forums Index / WebmasterWorld / Website Analytics - Tracking and Logging
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved