MRatWork Forum by Mustafa Ramadhan
Sawo Project - Kloxo-MR Discussions => Kloxo-MR Technical Helps => Topic started by: crossing on 2014-01-04, 19:55:14
-
'Statistics Page Password' set have no effect and everyone can access my stats.
-
Did you reset httpd after you changed the password? I will test as well.
-
I reboot it the server with no results.
-
Mustafa, there is a bug / problem with stats password now. Servers that had password protection already, it works. On new installs or new domains the password stays null. I tried both templates, feather and default (6.5.0f 20140103). If I try to change an existing password it sets it to null.
So the problem is not with httpd, but with setting the actual passwords in KloxoMR. Please fix, this is actually a security bug.
Thank you
-
Look like something wrong with mechanism to save password and create __stats file.
-
I don't know when it stopped working. Please advise, a fix here is important.
-
Still investigate for this issue.
-
Mustafa did you managed to fix this bug ?
-
Any chance to fix this problem ? I have one competitor keep accesing stats page.
-
Temporary solution:
For apache, copy domains.conf.tpl to custom.conf.tpl and then modified:
<?php
if ($statsprotect) {
?>
<Location "/awstats/">
AuthType Basic
AuthName "Awstats"
#AuthUserFile "/home/<?php echo $user; ?>/__dirprotect/__stats"
AuthUserFile "/home/httpd/<?php echo $domainname ?>/__dirprotect/__stats"
require valid-user
</Location>
<?php
}
to:
<?php
//if ($statsprotect) {
?>
<Location "/awstats/">
AuthType Basic
AuthName "Awstats"
#AuthUserFile "/home/<?php echo $user; ?>/__dirprotect/__stats"
AuthUserFile "/home/httpd/<?php echo $domainname ?>/__dirprotect/__stats"
require valid-user
</Location>
<?php
//}
the same trick for nginx and lighttpd.
With this trick no one able to access to stats (including you) except knowing username and password.
-
Above code for awstats. Find out also for webalizer.
-
Mustafa, this is not a good solution. Clients want to password protect stats. How do they set password? KloxoMR not allowing setting of password. This worked in previous versions of KloxoMR, as my older sites have it enabled,
Please fix the panel way, so clients can use.
-
Mustafa any progress on fixing this issue?
-
There has been three KloxoMR updates since this issue was discovered. Mustafa, please fix this.
-
Any news about this problem ?
-
This issue is not resolved, it needs fixed. Thank you
-
There are something trouble where add stats password not save in kloxo database. Still investigate.
-
Is this issue too complex?
-
Any closer to a solution Mustafa?
-
Any solution for this yet ?
-
Did you update to latest version?.
-
Mustafa, on 6.5.1a the stats password now saves, but when going to the awstats you get this:
Error: Access to statistics is only allowed from an authenticated session to authenticated users.
Setup ('/etc/awstats/awstats.<domain>.conf' file, web server or permissions) may be wrong.
Check config file, permissions and AWStats documentation (in 'docs' directory).
It doesn't ask for authorization. Please advise.
-
Awstats using perl. Perl itself not work on nginx and hiawatha.
Latest version of 6.5.0.f and 6.5.1.a already disable perl functions.
-
it works fine. I had to wait for the webserver to restart, or for KloxoMR to finish, it works good. :)
Kloxo-MR 6.5.1.a-2014013101
You disabled cgi-bin for clients, perl still works for Apache. Awstats works fine.
Also, so those who don't know, username is the domain name. ;) (not admin or the client name)
-
Only perl in /home/<user>/<domain>/cgi-bin not work. Awstart is in different path and not able touch from user.
-
I know Mustafa, was just letting you know it does work. ;)