Hello PHP Web Stat!
I have recently installed your stat tool, and for the time using it, it seems
great. Theres only one thing I'm not very impressed about, and that is the
privacy of the statistics and information about the server that should be kept
secure.
So here is my complaints:- To my liking there was two options that should privatice the statistics at Admin Center -> Advanced Settings -> Security. One is named "Protect the stat with a password?" and the other "Enable security mode for your log folder?".
Happily I check both of these, and now I think that noone else can check my statistics. But the only thing that is protected is directory view of the logs folder, which really is just a stupid protected. Anyone with knowlegde of this stat script knows he can just browse to /log/logdb.dta. I find this very, very stupid. The option "Enable security mode for your log folder?" is really just misguiding you. - Because of this, the option "Protect the stat with a password?" is idiotic. I can just download the files where the stats are saved, and run this in my own stat script.
- I was also very astonished that sysinfo.php was not password protected! Now everyone can use this file to see what PHP version I run, what OS I use and what version of the script I use. This information could be used by crackers to see what security vulnerabilities the server is unprotected against.
I know that I sound pretty harsh on all these things. I just don't understand why this hasn't been though about before? The only reason I see to let the sysinfo.php be open to the public, is to let you guys here do support. There is propperly more stuff that is open to the public that I havent discovered yet.
Oh yes, protecting the cookie that excludes you from the stats is not really very secure. But I guess you know that cookies can easily be crafted by someone else, and just wanted to make sure that most of the public did not use the easy option.
Again, I'm sorry I sound harsh. I
really love your functions and the way the statistics is displayed. I just hate to discontinue to use this because of these security flaws.
Regards
Kasper