AWStatsFlexible but Insecure2006-05-03 Almost every web author wants to learn every detail about his site and its visitors. Other people typically interested in web analytics are web hosters both as a service for customers and an early-warning system in case of trouble. A graphical log file analyzer like AWStats transforms the rather dull log file content into a more comprehensible representation. AWStats aims to satisfy both user groups. The Perl script can be run from the command line to produce static HTML pages or run as a CGI application. Although AWStats can also manage log files for mail, FTP and other servers, it is most suitable for web servers. Configuration is done via a config file in which the location of the log file and the domain name(s) have to be specified. AWStats has no problems with multiple virtual hosts even when their traffic is logged to the same file. Typically, the statistics are updated by a cronjob, however triggering updates via the web interface can also be enabled.
AWStats presents its data grouped by months. Visitors, number of visits, pages, hits and bandwidth are shown for the days of the month, the days of week and the hours. Average and totals are available as well. Bar charts give a direct visual impression of the data. In the next tables, the visitors' IP addresses (optionally grouped by country using geolocation), operating systems and browsers are given. The probably most important statistics, the most popular URLs and referrers is also found there, followed by the most frequent search queries and keywords. In the main window, only the first few places are shown, but the complete data is available, too. Based on the time between a visitor's first and last document access AWStats tries to calculate an average visit duration. While the amount of different statistics is quite impressive, the filtering options are not very helpful. The only available time spans are a month or a year, so asking how many people have downloaded PDF files from a certain directory during the last week is impossible. You can add additional statistics by defining extensions in the config file. Using regular expressions you can filter URLs, referrers, virtual hosts and other parameters. For example, this allows you to track product orders in an online shop. AWStats received attention last year when the Lupper worm used an AWStats vulnerability to infect web servers around the net. To see how the developers reacted, OS Reviews took a quick look at the code. As a result, the following new vulnerabilities have been discovered:
Particularly notable about these holes is that they are very similar to previously discovered ones. The problems with calls to the open function were already known before. Additionally, the developers claim that only one vulnerability has been found in the history of AWStats, which is simply not true. To be honest, not everything is bad about AWStats. However, unless its security record improves, AWStats should only be used to generate static content or on a private web server.
Copyright 2006–2008 OS Reviews. This document is available under the terms of the GNU Free Documentation License. See the licensing terms for further details. |
|