For the people using fusion-ict's DA Awstats plugin, I made a quick fix to close the exploit in the current awstats 6.1, this small script goes over all config files in /etc/awstats and finds all
AllowToUpdateStatsFromBrowser=1
and changes them to
AllowToUpdateStatsFromBrowser=0
This works with the 2.0.2 awstats plugin with a Fedora C1 install, I haven't tested it on other versions of the plugin or OS'es, back up your /usr/local/directadmin and /etc directories before running this, and using this is at your own risk, etc, etc
Actual script:
http://213.247.60.200/fixAwstats61.sh
The source:
AllowToUpdateStatsFromBrowser=1
and changes them to
AllowToUpdateStatsFromBrowser=0
This works with the 2.0.2 awstats plugin with a Fedora C1 install, I haven't tested it on other versions of the plugin or OS'es, back up your /usr/local/directadmin and /etc directories before running this, and using this is at your own risk, etc, etc
Actual script:
http://213.247.60.200/fixAwstats61.sh
The source:
Code:
#!/bin/bash
## Quick awstats exploit loophole fix
## By Jeroen Wunnink - Easyhosting.nl
# Changing to the awstats config dir and creating a working directory
cd /etc/awstats
mkdir tmp
# Excluding the softlinked config files from subdomains
ls -la *.conf | grep -v lrwx | awk '{print $9}' | while read j
do
# Looking in which files the exploit is doable
grep "AllowToUpdateStatsFromBrowser=1" $j | wc -l | while read k
do
if [ $k -gt 0 ]
then
# Creating a 2nd version of the config, editing it, and outputting the result to the original file
cp $j tmp/
sed 's/AllowToUpdateStatsFromBrowser=1/AllowToUpdateStatsFromBrowser=0/g' tmp/$j > $j
fi
done
done
# Cleaning up our tmp dir
rm -rf tmp
# Changing the main plugin's config to not make new installs vulnerable
cd /usr/local/directadmin/plugins/awstats/hooks/cgi-bin
cp awstats.none.conf awstats.none.conf.tmp
sed 's/AllowToUpdateStatsFromBrowser=1/AllowToUpdateStatsFromBrowser=0/g' awstats.none.conf.tmp > awstats.none.conf
rm -f awstats.none.conf.tmp