Welcome to WebmasterWorld Guest from

Forum Moderators: DixonJones & mademetop

Message Too Old, No Replies

security hole in Awstats

affects version < 6.3

11:07 pm on Feb 2, 2005 (gmt 0)

Full Member

10+ Year Member

joined:Jan 10, 2003
votes: 0


[quote]The exploit is known as the "AWStats 'configdir' Remote Command Execution Exploit" and was publicly disclosed on January 17th, by security firm iDefense. According to the iDefense advisory, remote exploitation of an input validation vulnerability in AWStats allows attackers to execute arbitrary commands under the privileges of the Web server. Once exploited, the remote attacker can execute arbitrary commands, as evidenced by the defacement perpetrated by the hacker group.[/quote]

11:17 pm on Feb 2, 2005 (gmt 0)

Full Member

10+ Year Member

joined:Jan 10, 2003
votes: 0

seems it's only if you use the CGI version which can be updated from the web...

from awstats site:

Warning, a security hole was recently found in AWStats versions from 5.0 to 6.2 when AWStats is used as a CGI: A remote user can execute arbitrary commands on your server using permissions of your web server user (in most cases user "nobody").
If you use AWStats with another version or with option AllowToUpdateStatsFromBrowser to 0, you are safe. If not, it is highly recommanded to update to 6.3 version that fix this security hole.

11:42 pm on Feb 2, 2005 (gmt 0)

Preferred Member

10+ Year Member

joined:May 14, 2003
votes: 0

FWIW: if more ignorant folk would use proper .htaccess blocking to protect their sites, things like this would not be able to happen...

[the astute will note that i used the word "ignorant" instead of "stupid" or some similar derrogative... yes, i'm using it is the manner of "lack of knowledge"... this (ignorance) is far too common a problem and folk really shold learn /how/ to work a toaster before putting in bread and expecting to get toast out :(]

i'd rather be ignorant than stupid ;)

7:24 am on Feb 14, 2005 (gmt 0)

New User

joined:Feb 12, 2005
votes: 0


OK, so you say the astute should do what you recommend. However, you failed to tell those who are ignorant like me exactly how to go about doing this! I am new to all of this stuff and trying to learn from those who are experienced and I would appreciate it if you were to tell me how to correctly configure .ht and other related things. I would also appreciate advice and information from others. Thank you all in advance. :)



Join The Conversation

Moderators and Top Contributors

Hot Threads This Week

Featured Threads

Free SEO Tools

Hire Expert Members