Logo OS Reviews

Reviewing Freedom.

Communications
Administration

AWStats

Flexible but Insecure

Hendrik Weimer

2006-05-03

Print version

Slashdot me! Digg me! Stumble me! del.icio.us

Almost every web author wants to learn every detail about his site and its visitors. Other people typically interested in web analytics are web hosters both as a service for customers and an early-warning system in case of trouble. A graphical log file analyzer like AWStats transforms the rather dull log file content into a more comprehensible representation.

AWStats aims to satisfy both user groups. The Perl script can be run from the command line to produce static HTML pages or run as a CGI application. Although AWStats can also manage log files for mail, FTP and other servers, it is most suitable for web servers.

Configuration is done via a config file in which the location of the log file and the domain name(s) have to be specified. AWStats has no problems with multiple virtual hosts even when their traffic is logged to the same file. Typically, the statistics are updated by a cronjob, however triggering updates via the web interface can also be enabled.

Monthly summary

Monthly summary
(click to enlarge)

AWStats presents its data grouped by months. Visitors, number of visits, pages, hits and bandwidth are shown for the days of the month, the days of week and the hours. Average and totals are available as well. Bar charts give a direct visual impression of the data.

In the next tables, the visitors' IP addresses (optionally grouped by country using geolocation), operating systems and browsers are given. The probably most important statistics, the most popular URLs and referrers is also found there, followed by the most frequent search queries and keywords. In the main window, only the first few places are shown, but the complete data is available, too. Based on the time between a visitor's first and last document access AWStats tries to calculate an average visit duration.

While the amount of different statistics is quite impressive, the filtering options are not very helpful. The only available time spans are a month or a year, so asking how many people have downloaded PDF files from a certain directory during the last week is impossible.

You can add additional statistics by defining extensions in the config file. Using regular expressions you can filter URLs, referrers, virtual hosts and other parameters. For example, this allows you to track product orders in an online shop.

AWStats received attention last year when the Lupper worm used an AWStats vulnerability to infect web servers around the net. To see how the developers reacted, OS Reviews took a quick look at the code. As a result, the following new vulnerabilities have been discovered:

  • If the update of the stats via web front-end is allowed, a remote attacker can execute arbitrary code on the server using a specially crafted request involving the migrate parameter. Input starting with a pipe character ("|") leads to an insecure call to Perl's open function and the rest of the input being executed in a shell. The code is run in the context of the process running the AWStats CGI.
  • Arbitrary code can be executed by uploading a specially crafted configuration file if an attacker can put a file on the server with chosen file name and content (e.g. by using an FTP account on a shared hosting server). In this configuration file, the LogFile directive can be used to execute shell code following a pipe character. As above, an open call on unsanitized input is the source of this vulnerability.
  • Furthermore, the cross-site scripting vulnerability described in CVE-2006-1945 also exists with the diricons parameter and possibly others as well.

Particularly notable about these holes is that they are very similar to previously discovered ones. The problems with calls to the open function were already known before. Additionally, the developers claim that only one vulnerability has been found in the history of AWStats, which is simply not true.

To be honest, not everything is bad about AWStats. However, unless its security record improves, AWStats should only be used to generate static content or on a private web server.

AWStats
Version:6.5
Homepage:http://awstats.sourceforge.net/
License:GPL
Distributions: [?]■ Debian stable■ Debian unstable
■ Fedora■ Mandriva
□ Suse■ Ubuntu
Pros:
Rating:

72

  • Customization with Extensions
Cons:
  • Poor Security
  • Few Filtering Options

Copyright 2006–2008 OS Reviews. This document is available under the terms of the GNU Free Documentation License. See the licensing terms for further details.