[conspire] AWstats security fix: static pages

Rick Moen rick at linuxmafia.com
Sun Oct 16 23:38:42 PDT 2005 

Turns out there _is_ a standard solution; it's just inadequately documented.
http://awstats.sourceforge.net/docs/awstats_tools.html includes:


  awstats_buildstaticpages.pl

  awstats_buildstaticpages allows you to launch AWStats with -staticlinks
  option to build all possible pages allowed by AWStats -output option.

  Usage:
  awstats_buildstaticpages.pl (awstats_options)
  [awstatsbuildstaticpages_options]

  where awstats_options are any option known by AWStats
  -config=configvalue is value for -config parameter (REQUIRED)
  -update option used to update statistics before to generate pages
  -lang=LL to output a HTML report in language LL (en,de,es,fr,...)
  -month=MM to output a HTML report for an old month=MM
  -year=YYYY to output a HTML report for an old year=YYYY

  and awstatsbuildstaticpages_options can be
  -awstatsprog=pathtoawstatspl gives AWStats software (awstats.pl) path
  -dir=outputdir to set output directory for generated pages
  -date used to add build date in built pages file name

  New versions and FAQ at http://awstats.sourceforge.net


There are implementation tips at the Debian Administration site,
http://www.debian-administration.org/articles/85:

  If you wish to have static HTML pages created instead you must run the
  following command line:

  /usr/share/doc/awstats/examples/awstats_buildstaticpages.pl -update \
   -config=/etc/awstats/awstats.conf \
   -dir=/var/www/stats/ \
   -awstatsprog=/usr/lib/cgi-bin/awstats.pl

  This will use the configuration file "/etc/awstats/awstats.conf", to
  build some static pages which it will place in "/var/www/stats".

  As you can see this is quite a mouthful! However it's a simple thing
  to add to a script to run once a day.

  If you do this then you should disable the default updating of the
  statstics which happens every ten minutes by removing the file
  /etc/cron.d/awstats - if you are building static pages only once a day
  it is a waste of time updating the statics for online viewing more
  often.

  To handle multiple sites involves making a copy of the configuration
  file /etc/awstats/awstats.conf to a new name
  /etc/awstats/awstats.name.conf.

  Once this is done you can then update the statistics for a single host
  by specifying on the command line:

  -config=name

  This will update the statistics for the named configuration file.

  You can also examine the simple script
  /usr/share/doc/awstats/awstats-update which attempts to update all
  configuration files, modifying this to build static pages for each host
  is a simple enough matter.

I'm going to set the thing up that way, Real Soon Now, and then file a
bug with the Debian package maintainer suggesting that static-pages
should be the package's default installation mode, and _not_ CGI.

More information about the conspire mailing list