From owner-freebsd-questions@FreeBSD.ORG Wed Aug 2 12:10:05 2006 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id EF6C416A4E9 for ; Wed, 2 Aug 2006 12:10:04 +0000 (UTC) (envelope-from wmoran@collaborativefusion.com) Received: from mx00.pub.collaborativefusion.com (mx00.pub.collaborativefusion.com [206.210.89.199]) by mx1.FreeBSD.org (Postfix) with ESMTP id CAD3B43D60 for ; Wed, 2 Aug 2006 12:10:00 +0000 (GMT) (envelope-from wmoran@collaborativefusion.com) Received: from collaborativefusion.com (mx01.pub.collaborativefusion.com [206.210.89.201]) (TLS: TLSv1/SSLv3,256bits,AES256-SHA) by wingspan with esmtp; Wed, 02 Aug 2006 08:09:59 -0400 id 00056419.44D09617.00014D18 Received: from Internal Mail-Server (206.210.89.202) by mx01 (envelope-from wmoran@collaborativefusion.com) with AES256-SHA encrypted SMTP; 2 Aug 2006 08:06:22 -0400 Date: Wed, 2 Aug 2006 08:10:01 -0400 From: Bill Moran To: Jonathan Horne Message-Id: <20060802081001.afef1b9c.wmoran@collaborativefusion.com> In-Reply-To: <200608012048.48630.freebsd@dfwlp.com> References: <200608012048.48630.freebsd@dfwlp.com> Organization: Collaborative Fusion X-Mailer: Sylpheed version 2.2.6 (GTK+ 2.8.20; i386-portbld-freebsd6.1) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Cc: freebsd-questions@freebsd.org Subject: Re: a good web statistics port? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 02 Aug 2006 12:10:05 -0000 In response to Jonathan Horne : > i would really prefer awstats, but its been > in "command injection" limbo forever. awstats isn't nearly as dangerous as the advisories make it out. The last few security problems only apply to systems where awstats is configured to allow you to updated the statistics from the web browser. This is not the default configuration on FreeBSD. Personally, I don't need "up to the minute" stats, so all the machines it runs on for me just update it from cron every night. In that configuration, it's not vulnerable to anything. I believe this has been the case with the last 2 or 3 security problems that have been announced for awstats. I'm not aware of any security issues if you have the web-update disabled. -- Bill Moran Collaborative Fusion Inc.