Jump to content

Awstats Vulnerability?


Recommended Posts

I have read in a couple of places about an awstats vulnerability; Here is one such instance (of three different ones I have come across in the last week):

 

Again through awstats and this time the developers cannot get into the server, even in single user mode. Please, please, please, if you are running a version of awstats on your server/account, make sure it is at the latest code and your stats are locked out from the rest of the world.

So my questions are: how do we know if we have the latest awstats code? In general, is this something that we can update ourselves or do we have to wait for cPanel to release an update? How do we know if our stats are "locked out from the rest of the world?"

 

I'm not trying to be a panic merchant. I'm just wanting to make sure I'm not perpetuating some security risk because I haven't done something to my server that I ought to.

 

(Chances are, all is probably well, and I need not worry! :()

Link to post
Share on other sites

Users cannot update this themselves. Depending on the severity of the issue as it relates to our customers determines the method. If it is a huge issue that we know will start causing problems then we may take it upon ourselves to update something. If it is something that has a very small chance of becoming an issue then we often wait for cPanel to update.

 

At least that is my understanding of things.

Link to post
Share on other sites
How do we know if our stats are "locked out from the rest of the world?"

The vulnerability was announced back in January, and discussed on the TCH forums here. It has to do with the AWStats "AllowToUpdateStatsFromBrowser" config option being enabled. By default, this is set to "0" (disabled) and your stats are "locked out from the rest of the world". You would have had to manually configure AWStats to "unlock" them by setting the "AllowToUpdateStatsFromBrowser" option to "1".

Link to post
Share on other sites

Thanks David,

 

I think I may be in trouble, then.

 

Here is the setting in my awstats config files (I changed the settings on all my domains and in all of my subdomains):

 

># When this parameter is set to 1, AWStats add a button on report page to
# allow to "update" statistics from a web browser. Warning, when "update" is
# made from a browser, AWStats is ran as a CGI by the web server user
# defined in your web server (user "nobody" by default with Apache, "IUSR_XXX"
# with IIS), so the "DirData" directory and all already existing history files
# (awstatsMMYYYY[.xxx].txt) must be writable by this user. Change permissions
# if required.
# Warning: Update process can be long so you might experience "time out"
# browser errors if you don't launch AWStats enough frequently.
# When set to 0, update is only made when AWStats is ran from the command
# line interface (or a task scheduler).
# Possible values: 1 or 0
# Default: 0
#
AllowToUpdateStatsFromBrowser=1

I changed this setting to "1" becaue I wanted to be able to see more accurate statistics when I went to awstats. By allowing myself to click the update now button, I could get better information than awstats was providing by default.

 

When I searched the forums, this was a solution that I found that seemed to be the best solution for me (since I have absolutley no idea how to create a cron job; nay, not even where to start). I read in a parallel thread that I had to be careful because running the update now button causes the server to work hard, and if we were to click the button frequently we would bring down upon us the ire of the server gurus.

 

Since I only view awstats every other day or so (or less), I wasn't worried about it.

 

But now, it appears, I am opening myself up to a security breach because of my setting.

 

So, I guess I need to switch it back to "0". How then, can I get more frequently updated stats in my awstats??

 

Thanks for your help.

Link to post
Share on other sites

Stats are run once a day usually in the middle of the night depending on server loads at the time.

 

The only way to get more recent stats is to do what you are currently doing. Or installing your own stats program.

Link to post
Share on other sites
I changed this setting to "1" becaue I wanted to be able to see more accurate statistics when I went to awstats. By allowing myself to click the update now button, I could get better information than awstats was providing by default.

By forcing updates of AWStats, the statistics aren't what I would call "more accurate" or "better" - they are just more recently updated. :P AWStats is not intended to be a "live" statistics program, but the stats you see in AWStats should be no more than 24 hours old. Depending on what you're wanting to see, there may be a better way to get it than by performing AWStats updates.

 

I read in a parallel thread that I had to be careful because running the update now button causes the server to work hard, and if we were to click the button frequently we would bring down upon us the ire of the server gurus.

Running AWStats updates is indeed very CPU intensive, and performing excessive updates could get you in trouble with the server admins (your account could get suspended). Even performing a single update could get you in trouble if it drags down the server too much.

 

So, I guess I need to switch it back to "0". How then, can I get more frequently updated stats in my awstats??

See TCH-Bruce's answer above. :P

Link to post
Share on other sites
  • 3 weeks later...

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...