I have read in a couple of places about an awstats vulnerability; Here is one such instance (of three different ones I have come across in the last week):


So my questions are: how do we know if we have the latest awstats code? In general, is this something that we can update ourselves or do we have to wait for cPanel to release an update? How do we know if our stats are "locked out from the rest of the world?"

I'm not trying to be a panic merchant. I'm just wanting to make sure I'm not perpetuating some security risk because I haven't done something to my server that I ought to.

(Chances are, all is probably well, and I need not worry! )

Users cannot update this themselves. Depending on the severity of the issue as it relates to our customers determines the method. If it is a huge issue that we know will start causing problems then we may take it upon ourselves to update something. If it is something that has a very small chance of becoming an issue then we often wait for cPanel to update.

At least that is my understanding of things.

The vulnerability was announced back in January, and discussed on the TCH forums here. It has to do with the AWStats "AllowToUpdateStatsFromBrowser" config option being enabled. By default, this is set to "0" (disabled) and your stats are "locked out from the rest of the world". You would have had to manually configure AWStats to "unlock" them by setting the "AllowToUpdateStatsFromBrowser" option to "1".

Thanks David,

I think I may be in trouble, then.

Here is the setting in my awstats config files (I changed the settings on all my domains and in all of my subdomains):


I changed this setting to "1" becaue I wanted to be able to see more accurate statistics when I went to awstats. By allowing myself to click the update now button, I could get better information than awstats was providing by default.

When I searched the forums, this was a solution that I found that seemed to be the best solution for me (since I have absolutley no idea how to create a cron job; nay, not even where to start). I read in a parallel thread that I had to be careful because running the update now button causes the server to work hard, and if we were to click the button frequently we would bring down upon us the ire of the server gurus.

Since I only view awstats every other day or so (or less), I wasn't worried about it.

But now, it appears, I am opening myself up to a security breach because of my setting.

So, I guess I need to switch it back to "0". How then, can I get more frequently updated stats in my awstats??

Thanks for your help.

Stats are run once a day usually in the middle of the night depending on server loads at the time.

The only way to get more recent stats is to do what you are currently doing. Or installing your own stats program.

By forcing updates of AWStats, the statistics aren't what I would call "more accurate" or "better" - they are just more recently updated. AWStats is not intended to be a "live" statistics program, but the stats you see in AWStats should be no more than 24 hours old. Depending on what you're wanting to see, there may be a better way to get it than by performing AWStats updates.


Running AWStats updates is indeed very CPU intensive, and performing excessive updates could get you in trouble with the server admins (your account could get suspended). Even performing a single update could get you in trouble if it drags down the server too much.


See TCH-Bruce's answer above.

One other thing you can do is install a stats program locally and download the raw log and process it on your own machine.

Given that the awstats in cPanel requires you to login to view it it should not be exploitable. If you installed awstats yourself use .htpasswd to protect it.