Bug in Awstats

mikespe · February 7th, 2005, 6:42 PM

I am not sure if anyone is aware of this but there is a flaw in Awstats that a group was able to hack into phpbb.com's website.

Here is the link: http://www.extremephpbb.com/forum/vi...hp?p=1008#1008

The warning is as follows:

Warning, a security hole was recently found in AWStats versions from 5.0 to 6.2 when AWStats is used as a CGI: A remote user can execute arbitrary commands on your server using permissions of your web server user (in most cases user "nobody").
If you use AWStats with another version or with option AllowToUpdateStatsFromBrowser to 0, you are safe. If not, it is highly recommanded to update to 6.3 version that fix this security hole.

The version hacked was 6.2 and that is the version listed in my cPanel

I am hoping that Surpass is already aware of this issue.

mikespe · February 7th, 2005, 7:28 PM

Here is the link from phpBB.com:

http://www.phpbb.com/

mikespe · February 7th, 2005, 7:55 PM

OK...I know I am being a pain now but this is from the AWSTATS official site:

Quote:

Warning, a security hole was recently found in AWStats versions from 5.0 to 6.2 when AWStats is used as a CGI: A remote user can execute arbitrary commands on your server using permissions of your web server user (in most cases user "nobody").
If you use AWStats with another version or with option AllowToUpdateStatsFromBrowser to 0, you are safe. If not, it is highly recommanded to update to 6.3 version that fix this security hole.

I am hoping someone will respond to this.

graue · February 7th, 2005, 8:15 PM

Hi, I'm responding to this. I don't really have anything to add, but I read about the bug and it was interesting.

This is a "user to user" forum after all, so if you need to contact Surpass about fixing the problem, you probably should actually do so.

Code3TJ · February 8th, 2005, 5:01 AM

Sent a ticket asking if it'll be upgraded.

**David** · February 8th, 2005, 5:35 AM

Yes, you should submit a ticket to support and bring this to their attention.

Code3TJ · February 9th, 2005, 3:01 PM

Here's the latest from phpBB.com

Quote:

Last updated: 9th February 2005, 12:22 GMT

Hi everyone,

A further update and reminder as to the situation with this site. Our system was compromised Sunday evening by a group of hackers/crackers who (based on available information apparently corroborated by said hackers/crackers) used an exploit in awstats to gain entry. I'll repeat this very clearly since some people and worse some hosting providers are not listening to what is being said. Based on said information we do not believe, nor do we have any reason to believe, that our system was compromised due to any fault in phpBB 2.0.11.

Server update, unfortunately the datacenter where our box is located have been less than helpful. The box was supposed to have been shipped Monday, it wasn't. With further pushing we were told it would definitely ship yesterday (Tuesday), it didn't. The box is now being collected "manually". Very unimpressive service quite frankly. Because of this we are now working to an altered plan which may see the site return tomorrow (Thursday 9th) or Friday (10th). Please note that we will not be able to comment on the method used to exploit our site for at least several days.

It is actually quite fustrating at present that some hosting providers are asking or forcing their customers to remove installs of phpBB 2.0.11 due to the loss of phpbb.com. As I say above, our best available information right now is that phpBB was not to blame. If a hosting provider knows different perhaps they can inform us (along with details of how they know!).

Equally it's annoying to see some people posting the same old highlighting exploit claiming their 2.0.11 board was hacked via it. Again unless my team and indeed our other teams, heck large sections of our community, are all lying to me that vulnerability was fixed in 2.0.11. Sites running .11 and claiming (or thier hosts claiming) to have been attacked using it should take a close look at other applications they have installed. phpBB is not alone in being exploited, all the major boards can be if you don't update as new releases are made. Equally users should ensure the relevant highlighting fix is indeed present. Over the years we've dealt with thousands of users who say they've patched something (be it an exploit or bug) but upon examination we've discovered the problem code is still there. Equally hosts should look at their own systems. Are you running awstats if so have you updated? Do you regularly update your OS and particularly the kernel (if appropriate) as fixes are released? Are your users running old versions of other PHP/Perl/etc. software? Have you set appropriate permissions on key folders such as /tmp and /var/tmp? Is your webserver running with as few permissions as possible? Just because we overlooked something doesn't mean you should!

Hopefully Cpanel will get around to updating awstats before we start having similar problems here.

whoisrich · February 9th, 2005, 5:37 PM

I am also concerned by this, and hope that Surpass will be updating all the copies of awstats on their servers soon.

mikespe · February 9th, 2005, 5:48 PM

I was running an older version of advanced guestbook and it was hacked and I lost most of the posts...however I did have an older backup and recovered 75% of the entries!...now I am checking EVERYTHING to make sure it is updated. PHP is a GREAT web tool but it can also be very dangerous is not coded properly. Same goes with asp and other "web software"...

I frequesnt all the forums of all the software I have installed on my site now to keep up to date on bug fixes and exploits...I suggest EVERYONE do the same!

PS..I did submit a ticket and it is being looked into...

February 7th, 2005, 6:42 PM	#1 (permalink)
mikespe Registered User Comfy Contributor Joined in Oct 2004 132 posts Gave thanks: 1 Thanked 0 times	Bug in Awstats I am not sure if anyone is aware of this but there is a flaw in Awstats that a group was able to hack into phpbb.com's website. Here is the link: http://www.extremephpbb.com/forum/vi...hp?p=1008#1008 The warning is as follows: Warning, a security hole was recently found in AWStats versions from 5.0 to 6.2 when AWStats is used as a CGI: A remote user can execute arbitrary commands on your server using permissions of your web server user (in most cases user "nobody"). If you use AWStats with another version or with option AllowToUpdateStatsFromBrowser to 0, you are safe. If not, it is highly recommanded to update to 6.3 version that fix this security hole. The version hacked was 6.2 and that is the version listed in my cPanel I am hoping that Surpass is already aware of this issue. __________________ SERVER: PASS 16 Last edited by mikespe; February 7th, 2005 at 6:45 PM..

February 7th, 2005, 7:28 PM	#2 (permalink)
mikespe Registered User Comfy Contributor Joined in Oct 2004 132 posts Gave thanks: 1 Thanked 0 times	Here is the link from phpBB.com: http://www.phpbb.com/ __________________ SERVER: PASS 16

February 7th, 2005, 8:15 PM	#4 (permalink)
graue Registered User Comfy Contributor Joined in Dec 2004 Lives in Fairfax, VA, USA Hosted on sh57 247 posts Gave thanks: 0 Thanked 0 times	Hi, I'm responding to this. I don't really have anything to add, but I read about the bug and it was interesting. This is a "user to user" forum after all, so if you need to contact Surpass about fixing the problem, you probably should actually do so. __________________ Ben the Benly Benis: the greatest webcomic in existence. (on sh57)

February 8th, 2005, 5:01 AM	#5 (permalink)
Code3TJ Registered User Seasoned Poster Joined in Jan 2004 Hosted on Pass51 62 posts Gave thanks: 0 Thanked 0 times	Sent a ticket asking if it'll be upgraded. __________________ Jeep Horizons - Pass51 California Jeeper - Pass51

February 9th, 2005, 5:48 PM	#9 (permalink)
mikespe Registered User Comfy Contributor Joined in Oct 2004 132 posts Gave thanks: 1 Thanked 0 times	I was running an older version of advanced guestbook and it was hacked and I lost most of the posts...however I did have an older backup and recovered 75% of the entries!...now I am checking EVERYTHING to make sure it is updated. PHP is a GREAT web tool but it can also be very dangerous is not coded properly. Same goes with asp and other "web software"... I frequesnt all the forums of all the software I have installed on my site now to keep up to date on bug fixes and exploits...I suggest EVERYONE do the same! PS..I did submit a ticket and it is being looked into... __________________ SERVER: PASS 16

February 9th, 2005, 5:37 PM	#8 (permalink)
whoisrich Registered User Fresh Surpasser Joined in Feb 2005 6 posts Gave thanks: 0 Thanked 0 times	I am also concerned by this, and hope that Surpass will be updating all the copies of awstats on their servers soon.

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)

Thread Tools	Search this Thread
Show Printable Version Email this Page	Search this Thread: Advanced Search
Rate This Thread
Rate This Thread: