Awstats exploit quick fix

Wunk

Verified User
Joined
Sep 25, 2003
Messages
121
For the people using fusion-ict's DA Awstats plugin, I made a quick fix to close the exploit in the current awstats 6.1, this small script goes over all config files in /etc/awstats and finds all
AllowToUpdateStatsFromBrowser=1
and changes them to
AllowToUpdateStatsFromBrowser=0

This works with the 2.0.2 awstats plugin with a Fedora C1 install, I haven't tested it on other versions of the plugin or OS'es, back up your /usr/local/directadmin and /etc directories before running this, and using this is at your own risk, etc, etc ;)

Actual script:
http://213.247.60.200/fixAwstats61.sh

The source:
Code:
#!/bin/bash
## Quick awstats exploit loophole fix
## By Jeroen Wunnink - Easyhosting.nl

# Changing to the awstats config dir and creating a working directory
cd /etc/awstats
mkdir tmp
# Excluding the softlinked config files from subdomains
ls -la *.conf | grep -v lrwx | awk '{print $9}' | while read j
 do
# Looking in which files the exploit is doable
  grep "AllowToUpdateStatsFromBrowser=1" $j | wc -l | while read k
   do
    if [ $k -gt 0 ]
     then
     # Creating a 2nd version of the config, editing it, and outputting the result to the original file
     cp $j tmp/
     sed 's/AllowToUpdateStatsFromBrowser=1/AllowToUpdateStatsFromBrowser=0/g' tmp/$j > $j
    fi
   done
  done
# Cleaning up our tmp dir
rm -rf tmp

# Changing the main plugin's config to not make new installs vulnerable
cd /usr/local/directadmin/plugins/awstats/hooks/cgi-bin
cp awstats.none.conf awstats.none.conf.tmp
sed 's/AllowToUpdateStatsFromBrowser=1/AllowToUpdateStatsFromBrowser=0/g' awstats.none.conf.tmp > awstats.none.conf
rm -f awstats.none.conf.tmp
 
This doesn't fix the issue and probably doesn't fix the configdir parameter breach.

The last topic in my posts explain how to do this for you clients.
Once again I will post the steps here:

1. Upgrade to the latest versions of my plugin.
2. cd /usr/local/directadmin/plugins/awstats/hooks
3. php awstatsinstall.php -f -a


And done all the awstats.pl scripts are now replaced with the new ones and include the security patches. In later versions I will include these steps in the update.sh of the plugin !

For now this should do it.
 
Back
Top