Here, you can find the common questions about security problems when setting or using AWStats.<br>
<ul>
FAQ-SEC100 <a href="#CSSATTACK">Can AWStats be used to make Cross Site Scripting Attacks ?</a><br>
-<!--FAQ-SEC150 <a href="#SECUSER">How can I prevent some users to see statistics of other users ?</a><br>-->
+FAQ-SEC150 <a href="#SECUSER">How can I prevent some users to see statistics of other users ?</a><br>
FAQ-SEC200 <a href="#WORMS">How to manage log files (and statistics) corrupted by worms attacks like 'Code Red Virus like'.</a><br>
</ul>
log analyzer report page.<br>
<br>
-<!--
<a name="SECUSER"></a><br>
<b><u>FAQ-SEC150 : HOW CAN I PREVENT SOME USERS TO SEE STATISTICS OF OTHER USERS ?</u></b><br>
<font style="color: #660000">PROBLEM:</font> I don't want a user xxx (having a site www.xxx.com) to see statistics of user yyy (having
a site www.yyy.com). How can i setup AWStats for this ?<br>
<font style="color: #4444cc">SOLUTION:</font>
-If you host different users/sites, it means you have different config files.<br>
-A common way to manage securities right is to put awstats.pl in a directory protected by an authentication (.htaccess with Apache).
-Then, you set all files permissions on user config files (awstats.xxx.conf, awstats.yyy.conf...) to be readable by owner user
-only (xxx for awstats.xxx.conf, yyy for awstats.yyy.conf...). With this setup, if a user xxx try to see statistics for user
-yyy (using the URL http://provider.com/cgi-bin/awstats.pl?config=yyy), AWStats will be ran by user xxx (because awstats.pl is in
-a protected directory) and won't be able to read config file for user yyy (because only user yyy can read his config file).<br>
+Take a look at the <a href="awstats_security.html">security page</a>.<br>
<br>
--->
<a name="WORMS"></a><br>
<b><u>FAQ-SEC200 : HOW TO MANAGE LOG FILES (AND STATISTICS) CORRUPTED BY 'CODE RED VIRUS LIKE' ATTACKS ?</u></b><br>
--- /dev/null
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
+<html>
+<head>
+<meta name="description" content="AWStats Documentation - Security page">
+<meta name="keywords" content="awstats, awstat, security, tips">
+<meta name="robots" content="index,follow">
+<meta name="title" content="AWStats Documentation - Security page">
+<title>AWStats Documentation - Security page</title>
+<link rel="stylesheet" href="styles.css" type="text/css">
+</head>
+
+<body topmargin=10 leftmargin=5>
+
+
+<table style="font: 10pt arial,helvetica,verdana" cellpadding=0 cellspacing=0 border=0 bgcolor=#FFFFFF width=100%>
+
+<!-- Large -->
+<tr style="font: 10pt arial,helvetica,verdana">
+<td bgcolor=#9999cc align=center><a href="/"><img src="images/awstats_logo1.png" border=0></a></td>
+<td bgcolor=#9999cc align=center>
+<br>
+<font style="font: 16pt Times;" color=#EEEEFF><b>AWStats logfile analyzer 4.0 Documentation</b></font><br>
+<br>
+</td>
+<td bgcolor=#9999cc align=center>
+
+</td>
+</tr>
+
+</table>
+
+
+<br><br><font style="font: 26px Times;">Little tips about Security</font><br><br>
+
+A lot of AWStats users have several web site to manage. This is particularly true for web hosting providers.
+The most common things you would like to do is to prevent user xxx (having a site www.xxx.com) to see
+statistics of user yyy (having a site www.yyy.com).<br>
+<br>
+This is example of possible way of working:<br>
+<br>
+<u>1) HIGHLY SECURED</u><br>
+<b>Policy</b>:<br>
+All statistics pages for a config/domain file are built in static html files using <b>-output -staticlinks</b> option.<br>
+There is no CGI use of AWStats and static built pages are stored in a web protected <b>realm</b> to
+be securely viewed by correct allowed users only (or sent by mails).<br>
+<b>+</b>: Highly secured.<br>
+<b>-</b>: Statistics are static, No way to have dynamic update/view.<br>
+<b>Note</b>: With this policy, AWStats database files can have their own permissions.
+So, set all AWStats database files built by the update process for config/domain1 to have read/write for <i>user1</i>
+(or an admin user) and NO read and/or NO write for any other users.
+If AWStats database files for config/domain1 are read protected, only allowed users can see statistics for config/domain1.<br>
+If AWStats database files for config/domain1 are write protected, only allowed users can update statistics for config/domain1.<br>
+This is a very good choice for web hosting providers with important customers.<br>
+<br>
+<u>2) MEDIUM SECURED</u><br>
+<b>Policy</b>: Statistics pages for a config/domain file can be read dynamically from a browser (with AWStats working as a CGI).<br>
+Use of <b>awstatsusers</b> file to list config/domain a particular user can see/update.<br>
+awstats.pl file must be saved in a web protected <b>realm</b> to allow awstats to get the username when running as CGI.<br>
+<b>+</b>: Statistics are dynamic.<br>
+<b>-</b>: AWStats database files must be readable by anonymous web server user, so if an experimented user can have an access to
+the server (telnet, ftp), he will be able to install and run a hacked version of AWStats that does not check permissions into the <b>awstatsusers</b>.<br>
+<b>Note</b>: With this policy, you must first create a text file called <b>awstatsusers</b>. This file is a text file
+with several records that contains two fields separated by a "<b>;</b>".
+First field is the user name allowed to read statistics from a browser.<br>
+Second field is a list (separated by comma "<b>,</b>") of all visible config/domain allowed for this user.<br>
+<u>Example of <b>awstatsusers</b> file:</u><br><i>
+user1;*<br>
+user2;www.domain2.com<br>
+user3;www.domain3a.com,www.domain3b.com<br>
+</i>
+<u>Example of directives you can add into Apache to have awstats.pl in a web protected realm:</u><br><i>
+<Files "awstats.pl"><br>
+AuthUserFile /path/to/.passwd<br>
+AuthGroupFile /path/to/.group<br>
+AuthName "Restricted Area For Customers"<br>
+AuthType Basic<br>
+require valid-user<br>
+</Files>
+</i><br>
+<br>
+Save the <b>awstatsusers</b> file in the <b>DirData</b> directory (directory where AWStats save its database) and put on this file "read only"
+permissions for everyone.<br>
+<br>
+<u>3) LOW SECURED</u><br>
+<b>Policy</b>: Same as 2 with no use of <b>awstatsusers</b>.<br>
+<b>+</b>: Setup is very easy (No need of particular setup). Statistics are dynamic.<br>
+<b>-</b>: No way to prevent stats for config/domain to be seen by a user that known the
+config/domain name and the url syntax to see stats of a particular config/domain.<br>
+<b>Note</b>: This is the most common way of working for all users that have only one hosts
+and no restricted accounts to manage.<br>
+
+
+
+
+
+<br>
+
+
+<br>
+<hr>
+
+<script language=javascript>
+ var lastmod = new Date(document.lastModified);
+ if (lastmod.getDate() > 0) {
+ if (lastmod.getDate()<10) zerod="0"
+ else zerod="";
+ if (lastmod.getMonth()<9) zerom="0"
+ else zerom=""
+ year2kok=lastmod.getYear();
+ if (year2kok<100) year2kok+=2000;
+ if ((year2kok>=100) && (year2kok < 1970)) year2kok+=1900;
+ document.writeln("Last revision: "+year2kok+"-"+zerom+(lastmod.getMonth()+1)+"-"+zerod+lastmod.getDate());
+ }
+</script>
+
+</body>
+</html>
<br>
-<table cellspacing="0" cellpadding="0" border="0" width="600">
-<tr><td align="center" valign="top">
+<table cellspacing="6" cellpadding="6" border="0" width="600">
+<tr><td align="center" valign="top" width="50%">
-<table border="0" cellpadding="4" cellspacing="0" bgcolor="#ffffff" width="280">
+<table border="0" cellpadding="4" cellspacing="0" bgcolor="#ffffff" width="100%">
<tr><td align="center" bgcolor="#e9e9e9">
- <strong>Release Notes</strong>
+<strong>Release Notes</strong>
</td></tr><tr><td>
<A HREF="awstats_what.html">What is AWStats / Features</A>
</td></tr><tr><td>
<A HREF="awstats_changelog.txt">New Features / Changelog</A>
</td></tr><tr><td>
<A HREF="awstats_compare.html">Comparisons with other log analyzers</A>
-</td></tr><tr><td>
-<A HREF="awstats_license.html">AWStats License</A>
</td></tr></table>
-<br>
+</td><td align="center" valign="top" width="50%">
-<table border="0" cellpadding="4" cellspacing="0" bgcolor="#ffffff" width="280">
+<table border="0" cellpadding="4" cellspacing="0" bgcolor="#ffffff" width="100%">
<tr><td align="center" bgcolor="#e9e9e9">
<strong>Reference manual</strong>
</td></tr><tr><td>
<A HREF="awstats_setup.html">Setup and Run AWStats</A>
</td></tr><tr><td>
+<A HREF="awstats_security.html">Security setup</A>
+</td></tr><tr><td>
<A HREF="awstats_config.html">Configuration Directives/Options</A>
</td></tr></table>
-</td>
-
-
-<td align="center" valign="top">
+</td></tr>
+<tr><td colspan=2 valign="top" width="100%">
-<table border="0" cellpadding="4" cellspacing="0" bgcolor="#ffffff" width="280">
+<table border="0" cellpadding="4" cellspacing="0" bgcolor="#ffffff" width="100%">
<tr><td align="center" bgcolor="#e9e9e9">
<strong>Other Topics</strong>
-</td></tr><tr><td>
-<A HREF="awstats_faq.html">Frequently Asked Questions</A>
-</td></tr><tr><td>
-<A HREF="awstats_benchmark.html">Benchmarks</A>
-</td></tr><tr><td>
-<A HREF="awstats.xml">XML Portable Application Descriptor</A>
</td></tr></table>
+</td></tr>
+<tr><td valign="top" width="50%">
+
+<A HREF="awstats_faq.html">Frequently Asked Questions</A><br>
+<A HREF="awstats_benchmark.html">Benchmarks</A>
+
+</td><td width="50%">
+
+<A HREF="awstats_license.html">AWStats License</A><br>
+<A HREF="awstats.xml">AWStats XML PAD File</A>
+
</td></tr></table>
</center>
projects / thirdparty / AWStats.git / commitdiff
