Beltza Posted January 31, 2005 Posted January 31, 2005 From the AWStats page: Warning, a security hole was recently found in AWStats versions from 5.0 to 6.2 when AWStats is used as a CGI: A remote user can execute arbitrary commands on your server using permissions of your web server user (in most cases user "nobody").If you use AWStats with another version or with option AllowToUpdateStatsFromBrowser to 0, you are safe. If not, it is highly recommanded to update to 6.3 version that fix this security hole. The cPanel version used by TCH is using version 6.2, and can therefore be exploited. By default the option AllowToUpdateStatsFromBrowser is not active, but people having this option activated might consider disabling it. Quote
TCH-Don Posted January 31, 2005 Posted January 31, 2005 Thank you for the info. I do not need that option anyway, I am content to check my stats once a day if I am curious. Quote
TCH-Dick Posted January 31, 2005 Posted January 31, 2005 Since AWStats 6.3 is not yet considered stable, cPanel patched AWStats 6.2 on Jan 26, 2005. Quote
Beltza Posted February 1, 2005 Author Posted February 1, 2005 AWStats 6.3 is stable since Jan. 28. I understand that it will take some time before cPanel updates AWStats again. Furthermore, the default behaviour of cPanel is to overwrite the AWStats configuration every day with the default configuration, which is safe from being exploited, so there is no big issue for most clients. Quote
vrflyer Posted February 7, 2005 Posted February 7, 2005 Anyone noticed www.phpbb.com along with other numerous sites got hit over the weekend due to this security hole.... Here's a good link also from an end user: http://www.chovy.com/2005/02/simiens-crew-...hey-did-it.html Quote
TCH-Dick Posted February 8, 2005 Posted February 8, 2005 We manually updated AWstats on all TCH servers just now to prevent this exploit. Quote
Beltza Posted February 8, 2005 Author Posted February 8, 2005 We manually updated AWstats on all TCH servers just now to prevent this exploit. <{POST_SNAPBACK}> My AWStats page still tells me that it is version 6.2. I have my site on server85. Quote
TCH-Dick Posted February 8, 2005 Posted February 8, 2005 The update does not change the version, it is just a patch for 6.2 Quote
Beltza Posted February 24, 2005 Author Posted February 24, 2005 A new exploit for AWStats has been announced. Anything less than 6.4 is vulnerable: "Successful exploitation of an input validation vulnerability in AWStats scripts allows attackers to execute limited perl directives under the privileges of the web server, get sensitive information. Some actions of the attacker can lead to denial of service." More information: AWStats - Multiple Vulnerabilities Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.