[windows2000] Re: Webserver stats

  • From: Chris Buechler <win2000@xxxxxxxxxxxxxxxxx>
  • To: windows2000@xxxxxxxxxxxxx
  • Date: Mon, 14 Nov 2005 11:13:59 -0500

Rob Sharp wrote:

>AWStats also produces very pretty grahics, and looks way better than
>Analog ever did, even with that addon they advertise (forgot its
>name...).

AWStats looks interesting. Do you know the scope of the explotis someone mentioned?

What might I be opening myself up to by installing it?


It's written in Perl, not PHP as someone suggested earlier. The only issues it's been susceptible to have been programming error within AWStats itself.


It's had 3 holes in the past allowing arbitrary remote code execution with the privileges of the user running the scripts (by default an account with little privilege in the BSD/Linux/Unix world, not sure how Windows/IIS handles Perl scripts). Not good, but that requires you can get to the directory or virtual host hosting AWStats. A combination of firewalling, web server-based authentication, and keeping up on versions, and there really isn't anything to worry about. Also make sure you subscribe to the AWStats-public list if you're running it, as you'll then get notice of new versions released. AWStats doesn't have to run on the same machine as the actual web server. I setup scripts to pull in http logs from numerous web servers to a central AWStats box that isn't open to the Internet.

Just three holes *ever*, trivially easy to mitigate, and patches quickly released. Properly configured and kept updated, this poses *very* little risk on your network. It's a nice package too.

-Chris
*****************************
New Site from The Kenzig Group!
Windows Vista Links, list options and info are available at:
http://www.VistaPop.com
***************************** To Unsubscribe, set digest or vacation
mode or view archives use the below link.


http://thethin.net/win2000list.cfm

Other related posts: