[14941] in bugtraq
Re: Banner Rotation 01
daemon@ATHENA.MIT.EDU (Joao Pedro =?iso-8859-1?Q?Gon=E7al)
Thu May 18 15:01:21 2000
Mime-Version: 1.0
Content-Type: multipart/mixed; boundary="------------025ACCAF6BD2DFE136771B37"
Message-Id: <39229840.69CE3205@ptm.pt>
Date: Wed, 17 May 2000 14:01:52 +0100
Reply-To: Joao Pedro =?iso-8859-1?Q?Gon=E7alves?= <joaop@PTM.PT>
From: Joao Pedro =?iso-8859-1?Q?Gon=E7alves?= <joaop@PTM.PT>
X-To: BUGTRAQ@SECURITYFOCUS.COM
To: BUGTRAQ@SECURITYFOCUS.COM
This is a multi-part message in MIME format.
--------------025ACCAF6BD2DFE136771B37
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
This problem comes back from 'Advertiser' that is available from
http://dreamcatchersweb.com/scripts/
and documented in
(hhp) Advertiser advisory. (hhp)
http://www.attrition.org/security/advisory/hhp/hhp.008.ads-2
in fact, adpassword.txt is also 'admin' DES encrypted except that it is
documented
with different (but still insecure) permissions:
--cut--
The files included need to following permissions:
adcount.txt a+rw or 666
adpassword.txt a+rw or
666
--cut--
this is regarded in the advisory mentioned above.
rotating 01 seems to me like a ripoff without the copyright notices
present
in Advertiser, with the same security issues.
Joao Pedro Goncalves
PT Multimedia - www.sapo.pt
zillion wrote:
>
> -- Banner rotating 01 --
>
> --> Description:
>
> "Banner rotating 01" is a cgi script distributed for free on several
> site builder sites, including Hot Area. The script is available on
> http://www.hotarea.net/web/scripts/banner01/ The cgi script offers
> numerous functions for those wishing to manage rotating banners on their
> sites, including web based administration, unlimited advertisers, and
> statistics that keep track of exposures, click-throughs and the
> view-to-click ratio. The script requires Server Side Includes (SSI)
> support from the webserver.
>
> --> Affected sites:
>
> The Hot Area site mentions that the script has been downloaded 9345
> times (as of 05/16/2000). A simple WebFerret search showed that scores
> of sites are affected with an exposed in-the-clear password file.
>
> --> The problem:
>
> A file called adpassword.txt is world readable as it is assigned the
> wrong permissions. This will allow a malicious attacker to read the
> contents of the file, to crack the DES encrypted password it contains
> (using a common-or-garden password cracker), and to edit banner
> entries,to add or to remove banners.
>
> --> Extracts of the manual with commentary:
>
> Note: The extracts below are taken from the manual, which is stored as
> an index.html in the same as the adpassword file and the .cgi scripts
>
> --cut--
>
> Below are the files stored in the ads directory
>
> index.html - the manual
> ads.setup - the only file you need to change;
> ads.cgi - script to display correct advertiser;
> gotoad.cgi - script to direct links;
> admin.cgi - script to administrate your advertisers;
> adcount.txt - a file to keep track of which banner to display;
> adpassword.txt - password file for administration script;
> 01-03.jpg - demo images
> Advertiser.txt - sample data files
>
> Below are the permissions they want you to give your files
>
> ads.setup - 755
> ads.cgi - 755
> gotoad.cgi - 755
> admin.cgi - 755
> adcount.txt - 777
> adpassword.txt - 777
>
> Below is an explanation on how to use the admin.cgi tool
>
> Your password is currently set at admin. I suggest the first thing you
> do is to change it.
> Name - the name of the advertiser - DO NOT USE SPACES.
> Exposures - the number of exposures purchased.
> URL - the url that the banner should link to.
> Image URL - the url of the banner for the advertiser.
> Banner Text - the text that you want to appear below the banner.
> Font Size - the size of the text below the banner.
>
> Note: admin, when DES encrypted is "aaLR8vE.jjhss." 8 of the 10 web
> sites I reviewed did not change this password.
>
> Possible Countermeasures
> Delete the file. On Apache web servers, htaccess can be used to deny
> access to the file.
>
> --> This file was written by:
>
> Name: zillion
> Email: zillion@safemode.org
> Url: http://www.safemode.org
>
> Special thanks to Peter Thomas!
--------------025ACCAF6BD2DFE136771B37
Content-Type: text/x-vcard; charset=us-ascii;
name="joaop.vcf"
Content-Transfer-Encoding: 7bit
Content-Description: Card for Joao Pedro Gongalves
Content-Disposition: attachment;
filename="joaop.vcf"
begin:vcard
n:Gongalves;Joco Pedro
tel;cell:+351 93 269 50 23
tel;fax:+351 21 798 33 40
tel;work:+351 21 798 33 20
x-mozilla-html:FALSE
url:http://www.sapo.pt
org:Saber & Lazer - PT Multimedia
adr:;;;;;;
version:2.1
email;internet:joaop@ptm.pt
x-mozilla-cpt:;-22048
fn:Joco Pedro Gongalves
end:vcard
--------------025ACCAF6BD2DFE136771B37--
