AWStats - Vulnerability?

[mdwatkin]

Has anyone seen the eWeek article (http://www.eweek.com/article2/0,1759,1763152,00.asp) about howthe PhpBB.com website was compromised using a flaw in AWStats? We are on 6.1 I believe. Is there any plan to upgrade?

[admin]

Yea we know about it.

[Brangwyn]

It's only an issue if you have Allow Manual Update enabled.

[admin]

Well we did update AWstats on all windows servers they are all 6.3 now.

Unix will take a bit of time to update as it does a awstats.pl in every user dir.

Brangwyn did I miss something? What is "Allow Manual Update" I thought it was all AWstats and was in the awstats.pl file that caused the issue from what I read on psofts forum anyway.

[Brangwyn]

Straight from the AWStats site

Quote:

Warning, a security hole was recently found in AWStats versions from 5.0 to 6.2 when AWStats is used as a CGI: A remote user can execute arbitrary commands on your server using permissions of your web server user (in most cases user "nobody").
If you use AWStats with another version or with option AllowToUpdateStatsFromBrowser to 0, you are safe. If not, it is highly recommanded to update to 6.3 version that fix this security hole.

Hence I didn't mention the exploit earlier, I thought we had AWStats running without the allow update option.

For those interested it was actually this AWStats exploit that I believe took down the PHPBB2 Home pages... edit this was already pointed out, should have reread the first post myself