6/13/05 AWstats security hole.

[Vantage]

Hello everyone.

We are currently running AWstats 6.4. This is the latest version.

We have just discovered that there is a security hole in this version. A few sites have been defaced based on this and I am sure others will be as well.

This is just a warning. We are looking at the code ourseves and hoping to find the flaw. Untill then, There is no update available.

[Brangwyn]

Could the box have been compromised by the earlier <= 6.4 version exploit before you upgraded? I've heard of a few boxes being hit recently that the owners suspect had been compromised several months ago.

[admin]

Not sure but we will are going to do everything we can to be 100% sure AW is fully fixed and the box is 100% safe..

This is part of what I told the techs after the mod_rewrite rule anything they might have to fix server wide must be posted, even if it does not have to be done in the end I would rather be safe then sorry..

[Vantage]

It doeant look like anything was compromised. Some defacements seams to be the worst of it.

We are working on AWstats. It would be nice if they released a patched version.

[Silverbug]

Are you able to contact the people who's site are hit, or is it more of a wait for the client to realise their sites been hit, then contact us.

[Dean]

All resellers that have defaced sites that we are aware of have been contacted.

We are updating all sites on the Unix servers that are running old versions of AWStats. All domains will be running v6.4.

[cambodia]

so if we disable it we will safe from bug hole ? until everything complete then we enable it , can this way is good way ?

[Dean]

AWStats has been updated to latest for all users.