Lxadmin security Vulnerability for awstats
In my previous post on solution of Lxadmin permalinks for wordpress, a prefigured function was introduced that fixes the rewrite rules for wordpress and drupal. Today, we explored a vulnerability in the Lxadmin panel for awstats. These are the stats that we uses to monitor online traffic sources just like the google analytics.
What if these statistics become public?
Data in awstats is the information that you uses to optimizing and monitoring the performance of a domain, and you will never want them to enter the wrong hands (your competitors); specially when you have a die hard competition in term of sales and targets.
Why is the awstats for Lxadmin public?
This is firstly a vulnerability, a security threat that exposes a domain. The problem is in the way the URL’s are treated in Lxadmin. Below is the structure of the URL which is used for looking at the Awstats for a domain.
http://example.com/awstats/awstats.pl?config=example.com
First, no port is used for the outgoing applications on the server, except than logging with 7778. Moreover, cookies should be carrying the secure information with them. In the above URL if you replaces the domain name highlighted in bold with a one hosted on lighttpd server on lxadmin you will be able to view the awstats of that domain. If you like to try out this here is a non functional domain that we have founded you can check it stats by replacing example.com with coredeluxe.net.
Is the Cpanel also same?
No, the Cpanel is absolutely secure with all the data related with it. Everything attached to the cpanel is carried on a secure port 2082 and on a SSL (secure socket layer). Even if you don’t have a SSL the port is their to secure your data from public view. Below is a sample link attached highlighting the port and SSL.
http://example.com:2082/awstats.pl?config=example.com&ssl=&lang=en
What should we do to protect these Stats?
All you can look for a Panel change along with some downtime, as per my knowledge no host transfers a domain with panel change without any downtime.
Why i am recommending a panel change?
Looking at the bad past incidents that had happened with the company, and sad demise of its owner and founder, has put the company through a tough phase. Moreover, their are almost a dozen vulnerabilities found in the application.
At last, Lxadmin only consumes 15 Mb that makes it one of the best and fastest panel in the world. But security is always a threat for the webmasters, so decide over it.
Note: This post is only for educational purpose.
