Jump to content
Beltza

Awstats Vulnerability

Recommended Posts

From the AWStats page:

 

Warning, a security hole was recently found in AWStats versions from 5.0 to 6.2 when AWStats is used as a CGI: A remote user can execute arbitrary commands on your server using permissions of your web server user (in most cases user "nobody").

If you use AWStats with another version or with option AllowToUpdateStatsFromBrowser to 0, you are safe. If not, it is highly recommanded to update to 6.3 version that fix this security hole.

 

The cPanel version used by TCH is using version 6.2, and can therefore be exploited. By default the option AllowToUpdateStatsFromBrowser is not active, but people having this option activated might consider disabling it.

Share this post


Link to post
Share on other sites

Thank you for the info.

I do not need that option anyway,

I am content to check my stats once a day if I am curious.

Share this post


Link to post
Share on other sites

Since AWStats 6.3 is not yet considered stable, cPanel patched AWStats 6.2 on Jan 26, 2005.

Share this post


Link to post
Share on other sites

AWStats 6.3 is stable since Jan. 28. I understand that it will take some time before cPanel updates AWStats again.

 

Furthermore, the default behaviour of cPanel is to overwrite the AWStats configuration every day with the default configuration, which is safe from being exploited, so there is no big issue for most clients.

Share this post


Link to post
Share on other sites

A new exploit for AWStats has been announced. Anything less than 6.4 is vulnerable: "Successful exploitation of an input validation vulnerability in AWStats scripts allows attackers to execute limited perl directives under the privileges of the web server, get sensitive information. Some actions of the attacker can lead to denial of service." More information: AWStats - Multiple Vulnerabilities

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


×
×
  • Create New...