[quote]The exploit is known as the "AWStats 'configdir' Remote Command Execution Exploit" and was publicly disclosed on January 17th, by security firm iDefense. According to the iDefense advisory, remote exploitation of an input validation vulnerability in AWStats allows attackers to execute arbitrary commands under the privileges of the Web server. Once exploited, the remote attacker can execute arbitrary commands, as evidenced by the defacement perpetrated by the hacker group.[/quote]
seems it's only if you use the CGI version which can be updated from the web...
from awstats site:
Warning, a security hole was recently found in AWStats versions from 5.0 to 6.2 when AWStats is used as a CGI: A remote user can execute arbitrary commands on your server using permissions of your web server user (in most cases user "nobody"). If you use AWStats with another version or with option AllowToUpdateStatsFromBrowser to 0, you are safe. If not, it is highly recommanded to update to 6.3 version that fix this security hole.
FWIW: if more ignorant folk would use proper .htaccess blocking to protect their sites, things like this would not be able to happen...
[the astute will note that i used the word "ignorant" instead of "stupid" or some similar derrogative... yes, i'm using it is the manner of "lack of knowledge"... this (ignorance) is far too common a problem and folk really shold learn /how/ to work a toaster before putting in bread and expecting to get toast out :(]
OK, so you say the astute should do what you recommend. However, you failed to tell those who are ignorant like me exactly how to go about doing this! I am new to all of this stuff and trying to learn from those who are experienced and I would appreciate it if you were to tell me how to correctly configure .ht and other related things. I would also appreciate advice and information from others. Thank you all in advance. :)