So it *was* AWStats

AWStats sucks, I am done with it. I have disabled it since my server got hacked last time, and according to this that *was* the point of entry!!

– ————————————————————————–
Debian Security Advisory DSA 1058-1 security@debian.org
http://www.debian.org/security/ Martin Schulze
May 18th, 2006 http://www.debian.org/security/faq
– ————————————————————————–

Package : awstats
Vulnerability : missing input sanitising
Problem type : remote
Debian-specific: no
CVE ID : CVE-2006-2237
BugTraq ID : 17844
Debian Bugs : 364443 365909 365910

Hendrik Weimer discovered that specially crafted web requests can
cause awstats, a powerful and featureful web server log analyzer, to
execute arbitrary commands.

The old stable distribution (woody) is not affected by this problem.

For the stable distribution (sarge) this problem has been fixed in
version 6.4-1sarge2.

For the unstable distribution (sid) this problem has been fixed in
version 6.5-2.

We recommend that you upgrade your awstats package.

And it is DONE!!!!

ayn@NGBERT:~>sudo apt-get remove awstats
Reading Package Lists… Done
Building Dependency Tree… Done
The following packages will be REMOVED:
awstats
0 upgraded, 0 newly installed, 1 to remove and 0 not upgraded.
Need to get 0B of archives.
After unpacking 4202kB disk space will be freed.
Do you want to continue? [Y/n]
(Reading database … 45001 files and directories currently installed.)
Removing awstats …

Technorati Tags: , ,

Leave a Reply