Help - Search - Members - Calendar
Full Version: Awstats Vulnerability
TotalChoice Hosting Family Forums > TotalChoice Hosting General Support > Security Discussions
Beltza
Jan 31 2005, 11:49 AM
From the AWStats page:

QUOTE
Warning, a security hole was recently found in AWStats versions from 5.0 to 6.2 when AWStats is used as a CGI: A remote user can execute arbitrary commands on your server using permissions of your web server user (in most cases user "nobody").
If you use AWStats with another version or with option AllowToUpdateStatsFromBrowser to 0, you are safe. If not, it is highly recommanded to update to 6.3 version that fix this security hole.


The cPanel version used by TCH is using version 6.2, and can therefore be exploited. By default the option AllowToUpdateStatsFromBrowser is not active, but people having this option activated might consider disabling it.
TCH-Don
Jan 31 2005, 03:37 PM
Thank you for the info.
I do not need that option anyway,
I am content to check my stats once a day if I am curious.
TCH-Dick
Jan 31 2005, 06:29 PM
Since AWStats 6.3 is not yet considered stable, cPanel patched AWStats 6.2 on Jan 26, 2005.
Beltza
Feb 1 2005, 05:30 AM
AWStats 6.3 is stable since Jan. 28. I understand that it will take some time before cPanel updates AWStats again.

Furthermore, the default behaviour of cPanel is to overwrite the AWStats configuration every day with the default configuration, which is safe from being exploited, so there is no big issue for most clients.
vrflyer
Feb 7 2005, 06:43 PM
Anyone noticed www.phpbb.com along with other numerous sites got hit over the weekend due to this security hole....

Here's a good link also from an end user: http://www.chovy.com/2005/02/simiens-crew-...hey-did-it.html
TCH-Services
Feb 7 2005, 09:01 PM
We manually updated AWstats on all TCH servers just now to prevent this exploit.
TCH-Don
Feb 7 2005, 09:40 PM
Thanks Mike thumbup1.gif
Beltza
Feb 8 2005, 10:28 AM
QUOTE(TCH-Mike @ Feb 8 2005, 04:01 AM)
We manually updated AWstats on all TCH servers just now to prevent this exploit.
*


My AWStats page still tells me that it is version 6.2. I have my site on server85.
TCH-Services
Feb 8 2005, 10:46 AM
The update does not change the version, it is just a patch for 6.2
Beltza
Feb 24 2005, 01:25 PM
A new exploit for AWStats has been announced. Anything less than 6.4 is vulnerable: "Successful exploitation of an input validation vulnerability in AWStats scripts allows attackers to execute limited perl directives under the privileges of the web server, get sensitive information. Some actions of the attacker can lead to denial of service." More information: AWStats - Multiple Vulnerabilities
TCH-Bruce
Feb 24 2005, 01:30 PM
Thanks for the info thumbup1.gif
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.