PDA

View Full Version : Awstats?



On the Ramparts
03-13-2007, 01:36 PM
Getting ready to install a stats program.

I like the look of AWStats, but have seen some here have had issues with install and a mention of security issues. Anyone have info or tips?

On the Ramparts
03-14-2007, 01:56 PM
OK, after a bit of research ver 6.5 has security issues.

AWStats web home says ver 6.6 released in Jan 07 solves the issues. True? If so, how can ver 6.6 be installed since the only version available through site manager is vulnerable?

Or -

Is there a more secure stats package available that has as full or better capabilities?

Or -

Could one simply install AWStats on an offline machine (non web server), download log file, and interpret offline?

jalal
03-15-2007, 03:08 AM
How would the security issue with 6.5 effect us here on Westhost???

Just curious... :)

AWStats is by far the best log analysis system I've used (and I've tried them all at one time or another).

On the Ramparts
03-15-2007, 09:49 AM
I am not terribly knowledgable on this, but here is a security alert -

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 200508-07
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Severity: High
Title: AWStats: Arbitrary code execution using malicious Referrer
information
Date: August 16, 2005
Bugs: #102145
ID: 200508-07

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

AWStats fails to validate certain log input, which could lead to the
execution of arbitrary Perl code during the generation of the
statistics.

Background
==========

AWStats is an advanced log file analyzer and statistics generator. In
HTTP reports it parses Referrer information in order to display the
most common Referrer values that caused users to visit the website.

Affected packages
=================

-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 net-www/awstats < 6.5 >= 6.5

Description
===========

When using a URLPlugin, AWStats fails to sanitize Referrer URL data
before using them in a Perl eval() routine.

Impact
======

A remote attacker can include arbitrary Referrer information in a HTTP
request to a web server, therefore injecting tainted data in the log
files. When AWStats is run on this log file, this can result in the
execution of arbitrary Perl code with the rights of the user running
AWStats.

Workaround
==========

Disable all URLPlugins in the AWStats configuration.

Resolution
==========

All AWStats users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=net-www/awstats-6.5"

Note: Users with the vhosts USE flag set should manually use
webapp-config to finalize the update.

-----------------------------

From AWStats official page -
AWStats security announcements
This page provides information about known problems related to security on AWStats software.
Current security status: Small hole found in 6.5 and lower, fixed in 6.6
Status updated on: 2006-08-12


The following text give you an historical summary of all past holes found and fixed:

Version 6.6 or higher (safe from any known exploits)

There is no exploit nor hole known by AWStats team on this version, so AWStats 6.6 and higher are safe.

Note 1: You may however find announces about parameters provided into URLs that are not sanitized. In fact, AWStats sanitizing code can be found in the line
$QueryString = CleanFromCSSA(&DecodeEncodedString($QueryString));
This line sanitizes all URLs parameters provided to AWStats (from CSS code and from | command).
Note 2: Some reports warn against some AWstats versions that has holes just because of the use of the "eval" Perl function. It's true that using "eval" function can be a hole when its parameters are not sanitized, but they are in 6.5 (for the 'configdir' parameter) and are in 6.6 (for all parameters, even 'migrate' parameter forgotten in 6.5).


Hole #3: Version 6.4 and 6.5 (offer a way to make XSS attacks):

When AWStats version is 6.4 or 6.5 is used as a CGI:
Not correctly sanitized parameters refererpagesfilter, urlfilter, hostfiler, refererpagesfilterex, urlfilterex, hostfilerex can be used to provided an AWStats URL that return an URL that contains javscritp used for a XSS attacks.
This hole is reported under name:
- CVE-2006-3681
When AWStats version is 6.5 or lower and is used to build static pages:
If you use AWStats to build static pages, you are completely safe, whatever is the version of AWStats you use.
__________________________________________ end


If this does not affect the AWStats 6.5 available through Site Manager, or if there is a workaround (static page?), I would appreciate your input.

Thanks!

WestHost - RMinnick
03-16-2007, 04:18 PM
Hello Everyone,

We are aware that AWStats 6.6 has been released and it is on our list of applications that will be updated in the near future.

Regarding the bugs listed previously in this thread, the first one (listed as #102145) does not apply to the version of AWStats that WestHost offers (v6.5). The pasted text:



-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 net-www/awstats < 6.5 >= 6.5

was a little confusing because of the browser whitespace trimming, it could be more clearly written as follows:

Package: 1 net-www/awstats
Vulnerable: < 6.5
Unaffected: >= 6.5

Regarding the last issue of running AWStats as a CGI, if you wish to not run AWStats as a CGI you can modify your configuration file to turn it off. The file is located in /etc/awstats/ directory in your account. To turn it off, just search for the following setting and change it from one to zero:

AllowToUpdateStatsFromBrowser=1

Hopefully that helps. If you need information more specific to your account please feel free to contact our Tech Support team.

On the Ramparts
03-16-2007, 06:49 PM
Thank you, Ryan, for clearing this up.

jalal
03-17-2007, 12:02 PM
Yeah, it needs to be run as CGI for the security risk to exist. I thought that was disabled by default, but maybe not.