Tuesday, February 1, 2005

AWstats vulnerability

A number of people, including Jeremy Zawodny and Russell Beattie have been hit by this security issue, which affects version 5.0-6.2. If you have the option AllowToUpdateStatsFromBrowser to 0 then you are not affected. To be honest, there is no reason to use that feature. I don't, my stats update runs hourly from cron which is the most logical thing to do, since then there is no intervention required to obtain the latest stats information, all you need to do is view the URL.

Unless you want to allow people to view your stats, using a .htaccess would be wise, it would have elimited this issue for Russell and Jeremy even with the update from browser option on. The need to know basis is part of the foundation of security, computer and otherwise, don't ive information to people that they don't require.

Post ID: 650, posted by jase at 07:20 PM
Permalink | TrackBack ID: 623, (20) | Category: Security | Google Search
Comments
Post a comment

Thanks for signing in, . Now you can comment. (sign out)

(If you haven't left a comment here before, you may need to be approved before your comment will appear.)


Remember me?


Valve Media Ltd
Search Engine Compliance