View Full Version : Awstats exploit quick fix

02-10-2005, 01:43 AM
For the people using fusion-ict's DA Awstats plugin, I made a quick fix to close the exploit in the current awstats 6.1, this small script goes over all config files in /etc/awstats and finds all
and changes them to

This works with the 2.0.2 awstats plugin with a Fedora C1 install, I haven't tested it on other versions of the plugin or OS'es, back up your /usr/local/directadmin and /etc directories before running this, and using this is at your own risk, etc, etc ;)

Actual script:

The source:

## Quick awstats exploit loophole fix
## By Jeroen Wunnink - Easyhosting.nl

# Changing to the awstats config dir and creating a working directory
cd /etc/awstats
mkdir tmp
# Excluding the softlinked config files from subdomains
ls -la *.conf | grep -v lrwx | awk '{print $9}' | while read j
# Looking in which files the exploit is doable
grep "AllowToUpdateStatsFromBrowser=1" $j | wc -l | while read k
if [ $k -gt 0 ]
# Creating a 2nd version of the config, editing it, and outputting the result to the original file
cp $j tmp/
sed 's/AllowToUpdateStatsFromBrowser=1/AllowToUpdateStatsFromBrowser=0/g' tmp/$j > $j
# Cleaning up our tmp dir
rm -rf tmp

# Changing the main plugin's config to not make new installs vulnerable
cd /usr/local/directadmin/plugins/awstats/hooks/cgi-bin
cp awstats.none.conf awstats.none.conf.tmp
sed 's/AllowToUpdateStatsFromBrowser=1/AllowToUpdateStatsFromBrowser=0/g' awstats.none.conf.tmp > awstats.none.conf
rm -f awstats.none.conf.tmp

02-10-2005, 08:04 AM
This doesn't fix the issue and probably doesn't fix the configdir parameter breach.

The last topic in my posts explain how to do this for you clients.
Once again I will post the steps here:

1. Upgrade to the latest versions of my plugin.
2. cd /usr/local/directadmin/plugins/awstats/hooks
3. php awstatsinstall.php -f -a

And done all the awstats.pl scripts are now replaced with the new ones and include the security patches. In later versions I will include these steps in the update.sh of the plugin !

For now this should do it.