[windows2000] Re: Webserver stats

  • From: "Sorin Srbu" <sorin.srbu@xxxxxxxxxxxxx>
  • To: <windows2000@xxxxxxxxxxxxx>
  • Date: Tue, 15 Nov 2005 08:56:36 +0100

windows2000-bounce@xxxxxxxxxxxxx <> scribbled on Monday, November 14,
2005 5:14 PM:

> Rob Sharp wrote:
>>> AWStats also produces very pretty grahics, and looks way better than
>>> Analog ever did, even with that addon they advertise (forgot its
>>> name...).
>> AWStats looks interesting. Do you know the scope of the explotis
>> mentioned?
>> What might I be opening myself up to by installing it?
> It's written in Perl, not PHP as someone suggested earlier.  The only
> issues it's been susceptible to have been programming error within
> AWStats itself.

My mistake. Our central UU IT-Support dept was all over us sysadmins
about AWStats not being secure and so on. Hmmm...

> It's had 3 holes in the past allowing arbitrary remote code execution
> with the privileges of the user running the scripts (by default an
> account with little privilege in the BSD/Linux/Unix world, not sure
> Windows/IIS handles Perl scripts).  Not good, but that requires you
> get to the directory or virtual host hosting AWStats.  A combination
> firewalling, web server-based authentication, and keeping up on
> versions, and there really isn't anything to worry about.  Also make
> sure you subscribe to the AWStats-public list if you're running it, as
> you'll then get notice of new versions released.  AWStats doesn't have
> to run on the same machine as the actual web server.  I setup scripts
> pull in http logs from numerous web servers to a central AWStats box
> that isn't open to the Internet.
> Just three holes *ever*, trivially easy to mitigate, and patches
> released.  Properly configured and kept updated, this poses *very*
> little risk on your network.  It's a nice package too.

Yeah, it really looks good!

New Site from The Kenzig Group!
Windows Vista Links, list options 
and info are available at:
To Unsubscribe, set digest or vacation
mode or view archives use the below link.


Other related posts: