I found a problem in the way the .htaccess file for webstats is generated. A user of ours is running Drupal 6 and has Webalizer stats. Accessing domain.com/stats/ on his site yields a 403 error while domain.com/stats/index.html works. This is due to Drupal6's .htaccess in the document root that specifies DirectoryIndex index.php which is automatically active for subdirectories as well, so it works for awstats but not Webalizer. Thus, I think the autogenerated .htaccess file should explicitly specify the two choices. I've attached an untested but trivial enough patch against 3.0.5.3 that adds this and also fixes incorrect permissions for the .htaccess and .htpasswd_stats files -- they are not executable and shouldn't be marked as such, so the mode is 0644 instead of 0755.
nice thanks. same happens if one changes the order in /etc/apache2/mods-available/dir.conf to use index.php first. I also agree with the permissions. same goes for the main website's .htaccess permissions, also all html files, ico, robots.txt, or in /error/ all are 754 and should be 644.