Warning, a security hole was recently found in AWStats versions from 5.0 to 6.2 when AWStats is used as a CGI: A remote user can execute arbitrary commands on your server using permissions of your web server user (in most cases user "nobody").
If you use AWStats with another version or with option AllowToUpdateStatsFromBrowser to 0, you are safe. If not, it is highly recommended to update to 6.3 version that fix this security hole.


Hackers have already used this security hole to deface www.phpbb.com
Several popular blogs have also been hacked as well..
http://www.blogherald.com/2005/02/03/awstats-exploit-downs-blogs/

Update Awstats here:
http://awstats.sourceforge.net/

Holy Moly! Will it ever end? :rolleyes:

Yeah, it was discovered when they took control over PHPbb's server and locked the phpbb admins out

I think this won't affect awstats users who don't allow public access to their awstats folder right?

I am using AWStats for almost all my domains on IIS6 but it's only accessible with the server admin username and password through the web not as guest user. The server admin name is not Administrator and it's a highly cryptic password as well, so I think it shouldn't be a problem.

yup, I don't think there is any risk when running awstats through cPanel or similar panels which use password protection for stats.

Wow thats major...

*Updates*

wow.. I had that installed by my hosting company, without the password protection...

It's been removed now :D

Thanks for the info!! :)

if we are already on the AWStats topic here, has anyone reverse lookup enabled to see country data info or does it cost too much bandwidth and server requests? (only around 3000 uniques a day on the measured sites)

I wish I had seen this message earlier. I just got finished cleaning two systems of all the crap the script kiddies dropped on it. I wouldn't have noticed it except one of them did not have enough memory to run their programs ;)

The good news is ... as long as awstats was the only mistake you made ... they got access as your web server user and couldn't do much harm. The bad news is ... Had to clean up a bunch of mess. It could have been worse. They could have done some real damage. Seems all they wanted in both cases were machines to host irc bots.

I get hit with this scan several times a day. Although I'm not vulnerable, it's nice to know what they are looking for. Thanks for the update.