Wednesday, February 02, 2005
Awstats security hole
An update to this entry has been posted here.
There is a security hole in the AWStats versions from 5.0 to 6.2 when AWStats is used as a CGI: A remote user can execute arbitrary commands on your server using permissions of your web server user. However, if you use AWStats with another version or with option AllowToUpdateStatsFromBrowser to 0, you are safe.
See a sample exploit.
Anyone use is using the older versions must upgrade to the latest 6.3 version. Even some of the high profile bloggers like Russell Beattie and Jeremy Zawodny's servers also got hacked because of this exploit.
There is a security hole in the AWStats versions from 5.0 to 6.2 when AWStats is used as a CGI: A remote user can execute arbitrary commands on your server using permissions of your web server user. However, if you use AWStats with another version or with option AllowToUpdateStatsFromBrowser to 0, you are safe.
See a sample exploit.
Anyone use is using the older versions must upgrade to the latest 6.3 version. Even some of the high profile bloggers like Russell Beattie and Jeremy Zawodny's servers also got hacked because of this exploit.
Copyright Anand Jain 2004, 2005. All rights
reserved.
Webmaster
