Logged In: NO
Browser: Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0)
I have a question regarding the security of having the
awstats.pl script be run by a person wanting to view
I am new at this, so my views may be incorrect.
Please correct me if I am wrong.
Now, for the question. Since executing the script in
a cron job outputs the html page that a user would
view when viewing the stats, why not use the following
command in the cron job and the second following link
to have users view the output?
^^^ The above should be all one line. That creates an
html page that can be viewed by the user that has
updated information from the last time the cron job
To view the stats:
That shows the page with the output.
Is there a need to have the user run the perl script
when viewing the page? The information is only
updated during the cron job anyway. I noticed that
you can provide input to the perl script from the web
That updates the data and outputs it to the browser.
Since any person can provide input to the script here,
is it possible that someone could attempt to crash the
script and gain access?
Logged In: YES
Browser: Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 4.0; Hotbar 2.0)
You can also work the way you say:
That's another solution, but you loose the real-time
feature of AWStats. Is it better for security ? No.
You can have two ways to attack your www server.
1) using a bug of your server (AWStats has nothing to deal
2) using a Deny Of Services Attack on a page or CGI:
Everyone can launch awstats if you put it in cgi-bin, yes,
but every one can also
download /home/httpd/html/stats/index.html ! So result is
the same. Someone can make a DOS attack on your web server
asking to run awstats.pl a lot of times but he can also
make the same DOS attack asking a lot of times your
index.html. The result is the same, your server runs out of
CPU or your bandwith is full (asking awstats.pl requires
however more CPU than an index index.html).
You think about a third way when you say someone can pass
parameters using an URL like "awstats.pl?xxxxx". You're
right. Someone can pass parameters by this way but those
parameters are get by awstats and are used as "data" not
as "runnable code". Some compiled CGI program with a bad
coding of parameters memory management can crash if you
send rubbish parameters and a dump file / core dump can be
created and it's still possible that this dump file
contains runnable code, later run by someone curious to
know what is this file, or as a CGI. This is possible
in "pessimistic theory". But AWStats is in Perl, it means
you can't have memory management core dump... except if you
have a bug in your perl operating system interpreter, but
i'm becoming very very paranoiac !!!
So whatever are those parameters, the only thing a bad user
can do is getting statistics with no sense or an error
like "bad parameters"...
You can still use "/home/httpd/cgi-bin/awstats.pl
>/home/httpd/html/stats/index.html" if you want faster
Thank you for the clarification.