SecuniaからAWStatsのアドバイザリが出てるんですが、

Particularly notable about these holes is that they are very similar to previously discovered ones. The problems with calls to the open function were already known before. Additionally, the developers claim that only one vulnerability has been found in the history of AWStats, which is simply not true.

To be honest, not everything is bad about AWStats. However, unless its security record improves, AWStats should only be used to generate static content or on a private web server.