Facebook
TwitterHi All,
As part of a regular Penetration Test we have carried out on our servers, a risk has been identified in regards to external access of the web stats available at http://www.example.com/webstat/
I have changed all the subscription plans to disable web stats (we were using awstats) as it is never used and was just left on as default. However this has not removed the stored data or more importantly, updated the virtual host files to not forward on the statistic url's to the awstats panel.
I have attempted clicking the "unlock and sync" button on a domain subscription in the hope it would notice that web stats are now disabled and make the stats url inaccessible. However this has not worked.
My goal is to completely disable the awstats (and any other per-domain statistics) so that external users cannot get to this information. I am not concerned with leaving the existing data on the server for now, as long as people cannot get to it via a URL. Preferably i'd like a global server solution (rather than making changes to every domain manually), possibly something i can throw into the main http config to simply disable the stats url on any domain hosted on the server.
Does anyone have any idea how i do this?
Plesk Version: 10.3.1
Operating System: CentOS - Linux 2.6.32-71.el6.x86_64
As part of a regular Penetration Test we have carried out on our servers, a risk has been identified in regards to external access of the web stats available at http://www.example.com/webstat/
I have changed all the subscription plans to disable web stats (we were using awstats) as it is never used and was just left on as default. However this has not removed the stored data or more importantly, updated the virtual host files to not forward on the statistic url's to the awstats panel.
I have attempted clicking the "unlock and sync" button on a domain subscription in the hope it would notice that web stats are now disabled and make the stats url inaccessible. However this has not worked.
My goal is to completely disable the awstats (and any other per-domain statistics) so that external users cannot get to this information. I am not concerned with leaving the existing data on the server for now, as long as people cannot get to it via a URL. Preferably i'd like a global server solution (rather than making changes to every domain manually), possibly something i can throw into the main http config to simply disable the stats url on any domain hosted on the server.
Does anyone have any idea how i do this?
Plesk Version: 10.3.1
Operating System: CentOS - Linux 2.6.32-71.el6.x86_64
