AWStats security warning

[aww]

Please be advised, the popular AWStats program before version 6.3, apparently has a big security hole:
http://lists.netsys.com/pipermail/full-disclosure/2005-January/031002.html

Warning, a security hole was recently found in AWStats versions from 5.0 to 6.2 when AWStats is used as a CGI: A remote user can execute arbitrary commands on your server using permissions of your web server user (in most cases user "nobody").
If you use AWStats with another version or with option AllowToUpdateStatsFromBrowser to 0, you are safe. If not, it is highly recommended to update to 6.3 version that fix this security hole.

PHPbb was taken down using the above technique as well as several large blogs.

More info also available at netcraft, article.

Update here: http://awstats.sourceforge.net/

 

[{insert name here}]

I saw that phpbb.com was attacked yesterday, but at that time, they had not released any info on how and what had happened! Thanks for posting this info!

Its too bad that had to happen to phpbb, but what I am wondering is why they would only run there comunity off one server. At the magnitude they run, you would think they would be on two servers atleast for reasons such as this! HMM.