[Smaug] Need a security dude.

Rick Moen rick at linuxmafia.com
Mon Dec 26 13:13:31 PST 2005

Thomas --

As an additional question, do you have AWstats installed?  (That
question was sort of implied by my earlier post, but I might as well
make it explicit.)

Last January, my Web site's front page was defaced by someone operating
from Brazil, possibly the same fellow.  Forensic examination determined
that he had gotten httpd authority via ASstats, which I'd been foolish 
enough to install in its default configuration, which exposes a badly
written Perl CGI to public URL data as input -- which CGI, alas, does an
abysmal job at validating input.  (It really should be running in Perl's 
"taint" mode and santising all input.)  

I've since then helped file a bug with my distro's package maintainer
for AWstats:  He agreed with my suggestion of changing AWstats's default
installation mode to generate stat pages statically via cronjob, rather
than dynmaically from a CGI.

However, the larger point is that there are some really wretchedly
written Web applications out there.[1]  A lot of them are overfeatured PHP
things, but, as AWstats proves, you can write lousy code in any
language.  ;->   My mistake was in assuming that package maintainers' 
quality control standards were good enough protection.

And, of course, any Web apps you choose to install _outside_ your
distro's package system, i.e., code for which you won't get automated
security updates, is doubly in need of your scrutiny.

[1] See entry for Lupper inside

More information about the Smaug mailing list