Hello PHP Web Stat!

I have recently installed your stat tool, and for the time using it, it seems great. Theres only one thing I'm not very impressed about, and that is the privacy of the statistics and information about the server that should be kept secure.

So here is my complaints:

• To my liking there was two options that should privatice the statistics at Admin Center -> Advanced Settings -> Security. One is named "Protect the stat with a password?" and the other "Enable security mode for your log folder?".
  Happily I check both of these, and now I think that noone else can check my statistics. But the only thing that is protected is directory view of the logs folder, which really is just a stupid protected. Anyone with knowlegde of this stat script knows he can just browse to /log/logdb.dta. I find this very, very stupid. The option "Enable security mode for your log folder?" is really just misguiding you.
• Because of this, the option "Protect the stat with a password?" is idiotic. I can just download the files where the stats are saved, and run this in my own stat script.
• I was also very astonished that sysinfo.php was not password protected! Now everyone can use this file to see what PHP version I run, what OS I use and what version of the script I use. This information could be used by crackers to see what security vulnerabilities the server is unprotected against.

I know that I sound pretty harsh on all these things. I just don't understand why this hasn't been though about before? The only reason I see to let the sysinfo.php be open to the public, is to let you guys here do support. There is propperly more stuff that is open to the public that I havent discovered yet.

Oh yes, protecting the cookie that excludes you from the stats is not really very secure. But I guess you know that cookies can easily be crafted by someone else, and just wanted to make sure that most of the public did not use the easy option.

Again, I'm sorry I sound harsh. I really love your functions and the way the statistics is displayed. I just hate to discontinue to use this because of these security flaws.

Regards
Kasper

Hi foens,

before we dive in the eternal depth of the Ocean I will ask you for a favor: The next release of the Stat (Vers. 4) is coming soon and if you are willing to make that update check it again for the same question.
Maybe there are changes what you like .....

But one thing haven't changed in the next version: The sysinfo.php! It is a support tool and everybody who know that can open this file. If you don't like that - delete this file. It doesn't affect the function of the Stat!

Husky

Ok if the htaccess file now works on your server to protect the logfiles, you deleted the sysinfo and set a password for accessing the stat ... what kind of security flaws still exist ?