Web Stats Software Vulnerability Leads to Attacks

Web sites using an older version of AWStats, a popular tool for generating Web statistics, are being compromised by a flaw in the application that allows the execution of arbitrary commands on a server.

A leading anti-virus and security company has advised users of a popular Web stats logging application to update to the latest version of the software after seeing an increasing number of attempts to use a known bug to compromise servers.

In a posting on the Viruslist.com Weblog on Tuesday, virus analysts from Kaspersky Lab warned that they had seen "vast numbers" of sites compromised using a vulnerability in AWStats, a free tool for generating graphical statistics for Web sites. The vulnerability, which affects versions of AWStats up to and including 6.2, allows the execution of arbitrary commands on a server, effectively giving malicious hackers complete control over the machine.

One of the sites compromised by the issue was PhpBB.com, home of the popular Web forum software PhpBB. A group apparently from Brazil and calling itself "The Simians Crew" used the vulnerability to deface the PhpBB site with political messages, including a picture of U.S. President George W. Bushs head superimposed on the body of a monkey.

The PhpBB team later posted a short message on the site denouncing the groups actions, adding that "at present www.phpbb.com is offline due to a group of politically motivated hackers wishing to use an open-source project to push their agenda ... shame on them."

The vulnerability, known as the AWStats configdir Remote Command Execution Exploit, was first disclosed on Jan. 17 by security firm iDefense. By using an error in the programs input validation routine, a user can execute arbitrary commands on the server, effectively giving full access to the machine.

Users can download version 6.3, which corrects the error and removes the vulnerability, here.


Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.