| SYSTEM INFORMATION | |
|---|---|
| OS type and version | Debian 13 |
| Webmin version | 2.520 |
| Virtualmin version | 7.50.0 |
| Webserver version | Apache/2.4.65 |
| Related packages | awstats |
Hello,
A security audit pointed out to us that an AWStats instance is exposed via the “ftp” subdomain of an account on two of our Virtualmin instances.
http://www.example.com/cgi-bin/awstats.pl is protected by basic HTTP authentication using credentials file “/home/example/.awstats-htpasswd” as expected, however http://ftp.example.com/cgi-bin/awstats.pl is open to the public.
The AWStats reached via the “ftp” subdomain appears to show statistics for the default Apache VHost, not with any particular account. Looking at the VHost configuration for accounts on the instances they do not specify the “ftp” subdomain as an alias. (This may be intentional.)
Workaround: In Apache configuration files “/etc/apache2/sites-available/000-default.conf” and “/etc/apache2/sites-available/default-ssl.conf” add this block within the <VirtualHost> directive:
<Location /cgi-bin/awstats.pl>
AuthName "Server statistics"
AuthType Basic
AuthUserFile /var/www/.awstats-htpasswd
require valid-user
</Location>
Then execute as a super-user:
touch /var/www/.awstats-htpasswd
chown www-data:www-data /var/www/.awstats-htpasswd
apache2ctl -t && systemctl reload apache2
This obviously modifies a package distributed configuration file, which will cause a “.dpkg-dist” to appear when the Apache 2 package updated, therefore making a separate VHost config to protect the default AWStats may be more ideal.