When awstats prints a raw log, it does not properly
escape HTML (& to &, < to <). Arbitrary HTML can
be left in, for example, a User-Agent header, which can
then perform a cross site scripting attack.
Note: The version of awstats that I use is customized
by my web host. That said, I'm still pretty sure this
is an awstats bug. If it's not, I apologize.