windows2000-bounce@xxxxxxxxxxxxx <> scribbled on Monday, November 14, 2005 5:14 PM: > Rob Sharp wrote: > >>> AWStats also produces very pretty grahics, and looks way better than >>> Analog ever did, even with that addon they advertise (forgot its >>> name...). >> >> AWStats looks interesting. Do you know the scope of the explotis someone >> mentioned? >> >> What might I be opening myself up to by installing it? >> > > It's written in Perl, not PHP as someone suggested earlier. The only > issues it's been susceptible to have been programming error within > AWStats itself. My mistake. Our central UU IT-Support dept was all over us sysadmins about AWStats not being secure and so on. Hmmm... > It's had 3 holes in the past allowing arbitrary remote code execution > with the privileges of the user running the scripts (by default an > account with little privilege in the BSD/Linux/Unix world, not sure how > Windows/IIS handles Perl scripts). Not good, but that requires you can > get to the directory or virtual host hosting AWStats. A combination of > firewalling, web server-based authentication, and keeping up on > versions, and there really isn't anything to worry about. Also make > sure you subscribe to the AWStats-public list if you're running it, as > you'll then get notice of new versions released. AWStats doesn't have > to run on the same machine as the actual web server. I setup scripts to > pull in http logs from numerous web servers to a central AWStats box > that isn't open to the Internet. > > Just three holes *ever*, trivially easy to mitigate, and patches quickly > released. Properly configured and kept updated, this poses *very* > little risk on your network. It's a nice package too. Yeah, it really looks good! ***************************** New Site from The Kenzig Group! Windows Vista Links, list options and info are available at: http://www.VistaPop.com ***************************** To Unsubscribe, set digest or vacation mode or view archives use the below link. http://thethin.net/win2000list.cfm