Work at SourceForge, help us to make it a better place! We have an immediate need for a Support Technician in our San Francisco or Denver office.

Close

#1 Security implications of awstats.pl

closed
None
5
2012-10-11
2000-11-08
Anonymous
No

Discussion

  • Logged In: NO
    Browser: Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0)

    I have a question regarding the security of having the
    awstats.pl script be run by a person wanting to view
    the stats.

    I am new at this, so my views may be incorrect.
    Please correct me if I am wrong.

    Now, for the question. Since executing the script in
    a cron job outputs the html page that a user would
    view when viewing the stats, why not use the following
    command in the cron job and the second following link
    to have users view the output?

    cron job:
    /home/httpd/cgi-bin/awstats.pl www.mydomain.com
    >/home/httpd/html/stats/index.html

    ^^^ The above should be all one line. That creates an
    html page that can be viewed by the user that has
    updated information from the last time the cron job
    was run.

    To view the stats:
    www.mydomain.com/stats

    That shows the page with the output.

    Is there a need to have the user run the perl script
    when viewing the page? The information is only
    updated during the cron job anyway. I noticed that
    you can provide input to the perl script from the web
    browser:
    www.mydomain.com/cgi-bin/awstats.pl?www.mydomain.com

    That updates the data and outputs it to the browser.
    Since any person can provide input to the script here,
    is it possible that someone could attempt to crash the
    script and gain access?

    Thanks!
    Steve Cody
    scody@gulbrandsen.com

     
  • Logged In: YES
    user_id=96898
    Browser: Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 4.0; Hotbar 2.0)

    You can also work the way you say:

    "/home/httpd/cgi-bin/awstats.pl www.mydomain.com
    >/home/httpd/html/stats/index.html"

    That's another solution, but you loose the real-time
    feature of AWStats. Is it better for security ? No.

    You can have two ways to attack your www server.
    1) using a bug of your server (AWStats has nothing to deal
    with this).
    2) using a Deny Of Services Attack on a page or CGI:
    Everyone can launch awstats if you put it in cgi-bin, yes,
    but every one can also
    download /home/httpd/html/stats/index.html ! So result is
    the same. Someone can make a DOS attack on your web server
    asking to run awstats.pl a lot of times but he can also
    make the same DOS attack asking a lot of times your
    index.html. The result is the same, your server runs out of
    CPU or your bandwith is full (asking awstats.pl requires
    however more CPU than an index index.html).

    You think about a third way when you say someone can pass
    parameters using an URL like "awstats.pl?xxxxx". You're
    right. Someone can pass parameters by this way but those
    parameters are get by awstats and are used as "data" not
    as "runnable code". Some compiled CGI program with a bad
    coding of parameters memory management can crash if you
    send rubbish parameters and a dump file / core dump can be
    created and it's still possible that this dump file
    contains runnable code, later run by someone curious to
    know what is this file, or as a CGI. This is possible
    in "pessimistic theory". But AWStats is in Perl, it means
    you can't have memory management core dump... except if you
    have a bug in your perl operating system interpreter, but
    i'm becoming very very paranoiac !!!

    So whatever are those parameters, the only thing a bad user
    can do is getting statistics with no sense or an error
    like "bad parameters"...
    You can still use "/home/httpd/cgi-bin/awstats.pl
    www.mydomain.com
    >/home/httpd/html/stats/index.html" if you want faster
    results.

     
  • Logged In: NO
    Browser: Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0)

    Thank you for the clarification.