Wednesday, February 02, 2005

Awstats security hole

An update to this entry has been posted here.

There is a security hole in the AWStats versions from 5.0 to 6.2 when AWStats is used as a CGI: A remote user can execute arbitrary commands on your server using permissions of your web server user. However, if you use AWStats with another version or with option AllowToUpdateStatsFromBrowser to 0, you are safe.

See a sample exploit.

Anyone use is using the older versions must upgrade to the latest 6.3 version. Even some of the high profile bloggers like Russell Beattie and Jeremy Zawodny's servers also got hacked because of this exploit.

Comments: Post a Comment

<< Home

This page is powered by Blogger. Isn't yours?

Copyright Anand Jain 2004, 2005. All rights reserved.