1. Please take a little time for this simple survey! Thank you for participating!
    Dismiss Notice
  2. Dear Pleskians, please read this carefully! New attachments and other rules Thank you!
    Dismiss Notice
  3. Dear Pleskians, I really hope that you will share your opinion in this Special topic for chatter about Plesk in the Clouds. Thank you!
    Dismiss Notice

AwStats and Cgi-bin directory: security concerns!

Discussion in 'Plesk for Linux - 8.x and Older' started by Fenice, Mar 15, 2007.

  1. Fenice

    Fenice Guest


    I have Plesk 8.1 running on my server. I have always been ultra careful on my systems, taking a multi-layered security approach to protect my work.

    Today, I noticed something disconcerting. When I create a website with no access to cgi-bin directory, a ScriptAlias for the website is automatically set to the system-wide cgi-bin. It wouldn't be a problem if the cgi-bin was empty, but it actually contains the awstats directory with the awstats.pl executable - even though you are not using awstats on any of your websites.

    I realized this after a few months, and I now fear some malicious users could have used this hole to attack my server, as awstats has been known for being one of the favorite points of entry to the system for hackers and script kiddies.

    I want to know from SwSoft what can this hole cause on our system, and why they setup Plesk 8.1 to leave access to the cgi-bin/awstats directory by default.
  2. Spre

    Spre Guest

    awstats is a complete security risk. the fact that swsoft put it in plesk means they care about one thing. themselves. Do not use it and get rid of awstats. every site exploit/hack that has gone on for the last few years have ALL been traced back to awstats.
  3. JoaoCorreia

    JoaoCorreia Guest

    How do I remove awstats ?

    How do I remove awstats ?

    rpm -e awstats --nodeps

    Best regards
    Joao Correia
  4. DerFalk

    DerFalk Guest

    rpm -e awstats-6.5-2.swsoft.noarch.rpm