Awstats password protection

[sci2tech]

Please test in r1405
Update: on domain creation a new group named statistics will be added. Any user that belong to this group will be able to access statistics pages. Once statistic group is created, can not be anymore deleted, but users can be added / removed to / from this group. Management is done via WEBTOOLS -> Group/User management

[Cube]

Wow, great. Finally my most awaited feature is ready. Thank you very much.

But how do I use it? I just updated to the latest trunk and regenerated the configs. There are the new parts in the apache-config, but the the .ht*-files are empty.

[sci2tech]

Create a group named statistics in WEBTOOLS -> Group/User management if not exists. Add a user to this group. Access http://domain.tld/stats/ . Now enter user assigned to statistics group with his password. .htgroup is updated only if at least one group has at least one user assigned. Users goes to .htpasswd.

[momo]

wo! that is nice!

Great work sci2tech

[momo]

There is a little mistake in user panel, webtools.

Group/User management 'icon' works fine but
Group/User management 'link' point to "protected_areas.php

RC7 build 20081212

[simple]

Error is already fixed in the trunk, I wanted to post this as a ticket and got the solution there.

[bulforce]

i found a little security bug. I tried to open a ticked but trac is saying something about potential spam...

So here is the security flaw i found...

Straigh to example:

Site-A.tld and Site-B.tld are both users in the sytem.

The owner of Site-A.tld can see the stats for Site-B.com without knowing the password by doing this:

http://Site-A.tld/stats/awstats.pl?config=Site-B.tld

I know its not a major issue but it makes the password protection less powerfull.

Thanks

[BeNe]

You´r right!
Here is the Ticket --> http://www.isp-control.net/ispcp/ticket/1626

Greez BeNE

[sci2tech]

Fixed (please test) in r1463. Thank you.