AWStats is Openly Accessible

info Nessus Plugin ID 26056

Language:

Synopsis

The remote web server allows access to its usage reports.

Description

The remote web server is running a version of AWStats that seems to be accessible to the entire Internet. Exposing AWStats unprotected to the entire Internet can aid an attacker in gaining further knowledge of the web server and its contents therein. An attacker may gain access to administrative backends or private files hosted on the server.

Note that this may not be a concern if the scan was performed on an internal network.

Solution

AWStats should be either restricted to authorised networks/hosts only, or protected with some form of Basic-Auth.

Plugin Details

Severity: Info

ID: 26056

File Name: awstats_open.nasl

Version: 1.16

Type: remote

Family: CGI abuses

Published: 9/14/2007

Updated: 4/11/2022

Configuration: Enable thorough checks

Supported Sensors: Nessus

Vulnerability Information

CPE: cpe:/a:laurent_destailleur:awstats

Required KB Items: www/AWStats

Excluded KB Items: Settings/disable_cgi_scanning

Detections

Analytics