[8626] in bugtraq

home help back first fref pref prev next nref lref last post

Re: Freestats.com CGI vulnerability

daemon@ATHENA.MIT.EDU (Aviram Jenik)
Tue Nov 24 23:18:05 1998

Date: 	Tue, 24 Nov 1998 20:14:29 +0200
Reply-To: Aviram Jenik <aviram@JENIK.COM>
From: Aviram Jenik <aviram@JENIK.COM>
X-To:         John Carlton <techhelp@ROCKETMAIL.COM>
To: BUGTRAQ@NETSPACE.ORG

This is a cryptographically signed message in MIME format.

--------------msF610480CE36E76CA36E68865
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit

Naturally, just mili-seconds after I sent my last mail I saw that I was dead wrong.
Apparantely, deep inside the web site they still have the good old "edit.pl" script. It takes some time to reach it (unlike the path you described) but you can reach it directly at:
http://www.sitetracker.com/cgi-bin/edit.pl?account=&password=

I just tested your exploit, and it seems to work nicely.

John Carlton wrote:

> About a year ago I developed an exploit for the free web stats services offered at freestats.com, and supplied the webmaster with proper code to patch the bug.  After hearing no reply, and seeing no fix in sight, I've decided to post it here.
>
> Procedure:
>
> Start an account with freestats.com, and log in.  Click on the area that says "CLICK HERE TO EDIT YOUR USER PROFILE & COUNTER INFO"  This will call up a file called edit.pl with your user # and password included in it.
>
> Save this file to your hard disk and open it with notepad.  The only form of security in this is a hidden attribute on the form element of your account number.  Change this from *input type=hidden name=account value=your#* to *input type=text name=account value=""*  Save your page and load it into your browser.
>
> Their will now be a text input box where the hidden element was before.  Simply type a # in and push the "click here to update user profile" and all the information that appears on your screen has now been written to that user profile.
>
> But that isn't the worst of it.  By using frames (2 frames, one to hold this page you just made, and one as a target for the form submission) you could change the password on all of their accounts with a simple JavaScript function.
>
> Any thoughts, questions, or comments?
>
> John Carlton,
> CompSec specialist.

--
-------------------------
Aviram Jenik

"Addicted to Chaos"

-------------------------
Today's quote:

I'm not into working out. My philosophy: No pain, no pain.
 - Carol Leifer


--------------msF610480CE36E76CA36E68865
Content-Type: application/x-pkcs7-signature; name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="smime.p7s"
Content-Description: S/MIME Cryptographic Signature

MIIJsgYJKoZIhvcNAQcCoIIJozCCCZ8CAQExCzAJBgUrDgMCGgUAMAsGCSqGSIb3DQEHAaCC
B7QwggR+MIID56ADAgECAhBZRb47ZhupcD6ihpa94vILMA0GCSqGSIb3DQEBBAUAMIHMMRcw
FQYDVQQKEw5WZXJpU2lnbiwgSW5jLjEfMB0GA1UECxMWVmVyaVNpZ24gVHJ1c3QgTmV0d29y
azFGMEQGA1UECxM9d3d3LnZlcmlzaWduLmNvbS9yZXBvc2l0b3J5L1JQQSBJbmNvcnAuIEJ5
IFJlZi4sTElBQi5MVEQoYyk5ODFIMEYGA1UEAxM/VmVyaVNpZ24gQ2xhc3MgMSBDQSBJbmRp
dmlkdWFsIFN1YnNjcmliZXItUGVyc29uYSBOb3QgVmFsaWRhdGVkMB4XDTk4MTEwNTAwMDAw
MFoXDTk5MTEwNTIzNTk1OVowggEPMRcwFQYDVQQKEw5WZXJpU2lnbiwgSW5jLjEfMB0GA1UE
CxMWVmVyaVNpZ24gVHJ1c3QgTmV0d29yazFGMEQGA1UECxM9d3d3LnZlcmlzaWduLmNvbS9y
ZXBvc2l0b3J5L1JQQSBJbmNvcnAuIGJ5IFJlZi4sTElBQi5MVEQoYyk5ODEeMBwGA1UECxMV
UGVyc29uYSBOb3QgVmFsaWRhdGVkMTMwMQYDVQQLEypEaWdpdGFsIElEIENsYXNzIDEgLSBO
ZXRzY2FwZSBGdWxsIFNlcnZpY2UxFTATBgNVBAMUDEF2aXJhbSBKZW5pazEfMB0GCSqGSIb3
DQEJARYQYXZpcmFtQGplbmlrLmNvbTBcMA0GCSqGSIb3DQEBAQUAA0sAMEgCQQDYQLAyYOrK
Rbmr9tVt+J+PzXxk3tP19qCI0kFflVr5S3true20nx+SGhhSQdBoftMDTwbS3aKrwTwcmbYf
j2ODAgMBAAGjggFdMIIBWTAJBgNVHRMEAjAAMIGvBgNVHSAEgacwgDCABgtghkgBhvhFAQcB
ATCAMCgGCCsGAQUFBwIBFhxodHRwczovL3d3dy52ZXJpc2lnbi5jb20vQ1BTMGIGCCsGAQUF
BwICMFYwFRYOVmVyaVNpZ24sIEluYy4wAwIBARo9VmVyaVNpZ24ncyBDUFMgaW5jb3JwLiBi
eSByZWZlcmVuY2UgbGlhYi4gbHRkLiAoYyk5NyBWZXJpU2lnbgAAAAAAADARBglghkgBhvhC
AQEEBAMCB4AwgYYGCmCGSAGG+EUBBgMEeBZ2ZDQ2NTJiZDYzZjIwNDcwMjkyOTg3NjNjOWQy
ZjI3NTA2OWM3MzU5YmVkMWIwNTlkYTc1YmM0YmM5NzAxNzQ3ZGE1Y2ZlZDE0MWJlYWRiMmJk
MmU4OTIxMmFmNmZmMWQyMTE0OTk4YTNiOTQ1ZjlmM2VhNDUwYzANBgkqhkiG9w0BAQQFAAOB
gQCz9zhChXKy/HRTsEmDxrpwWIGCRmVp+fENgsu5VW7hmn3Cj9MxPWjxduCt8wDtfYaLJENe
PqVj/xJ5hXiZVXgw9qtxKpCWOMmyUzlnQRu5H9APOqwH0x1Zv9YdYs09i38UojZ3efntM5Cb
fK1rgH8xvP6eDBhKnYd2Mn+y9ayp1DCCAy4wggKXoAMCAQICEQDSdi6NFAw9fbKoJV2v7g11
MA0GCSqGSIb3DQEBAgUAMF8xCzAJBgNVBAYTAlVTMRcwFQYDVQQKEw5WZXJpU2lnbiwgSW5j
LjE3MDUGA1UECxMuQ2xhc3MgMSBQdWJsaWMgUHJpbWFyeSBDZXJ0aWZpY2F0aW9uIEF1dGhv
cml0eTAeFw05ODA1MTIwMDAwMDBaFw0wODA1MTIyMzU5NTlaMIHMMRcwFQYDVQQKEw5WZXJp
U2lnbiwgSW5jLjEfMB0GA1UECxMWVmVyaVNpZ24gVHJ1c3QgTmV0d29yazFGMEQGA1UECxM9
d3d3LnZlcmlzaWduLmNvbS9yZXBvc2l0b3J5L1JQQSBJbmNvcnAuIEJ5IFJlZi4sTElBQi5M
VEQoYyk5ODFIMEYGA1UEAxM/VmVyaVNpZ24gQ2xhc3MgMSBDQSBJbmRpdmlkdWFsIFN1YnNj
cmliZXItUGVyc29uYSBOb3QgVmFsaWRhdGVkMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB
gQC7WkSKBBa7Vf0DeootlE8VeDa4DUqyb5xUv7zodyqdufBou5XZMUFweoFLuUgTVi3HCOGE
QqvAopKrRFyqQvCCDgLpL/vCO7u+yScKXbawNkIztW5UiE+HSr8Z2vkV6A+HthzjzMaajn9q
JJLj/OBluqexfu/J2zdqyErICQbkmQIDAQABo3wwejARBglghkgBhvhCAQEEBAMCAQYwRwYD
VR0gBEAwPjA8BgtghkgBhvhFAQcBATAtMCsGCCsGAQUFBwIBFh93d3cudmVyaXNpZ24uY29t
L3JlcG9zaXRvcnkvUlBBMA8GA1UdEwQIMAYBAf8CAQAwCwYDVR0PBAQDAgEGMA0GCSqGSIb3
DQEBAgUAA4GBAIi4Nzvd2pQ3AK2qn+GBAXEekmptL/bxndPKZDjcG5gMB4ZbhRVqD7lJhaSV
8Rd9Z7R/LSzdmkKewz60jqrlCwbe8lYq+jPHvhnXU0zDvcjjF7WkSUJj7MKmFw9dWBpJPJBc
VaNlIAD9GCDlX4KmsaiSxVhqwY0DPOvDzQWikK5uMYIBxjCCAcICAQEwgeEwgcwxFzAVBgNV
BAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQLExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMUYw
RAYDVQQLEz13d3cudmVyaXNpZ24uY29tL3JlcG9zaXRvcnkvUlBBIEluY29ycC4gQnkgUmVm
LixMSUFCLkxURChjKTk4MUgwRgYDVQQDEz9WZXJpU2lnbiBDbGFzcyAxIENBIEluZGl2aWR1
YWwgU3Vic2NyaWJlci1QZXJzb25hIE5vdCBWYWxpZGF0ZWQCEFlFvjtmG6lwPqKGlr3i8gsw
CQYFKw4DAhoFAKB9MBgGCSqGSIb3DQEJAzELBgkqhkiG9w0BBwEwHAYJKoZIhvcNAQkFMQ8X
DTk4MTEyNDE4MTQzMFowHgYJKoZIhvcNAQkPMREwDzANBggqhkiG9w0DAgIBKDAjBgkqhkiG
9w0BCQQxFgQUPQpG0fOA/cPoykXIASwBduk7JXYwDQYJKoZIhvcNAQEBBQAEQFYnlDTNMkjY
WQbNJtIAAVRJ/Y/zcB2yuopF49qHXSsC9pXq9z5wCy2spMLxj6QUgyZdXEiyQVAUMBqQ3U2Y
FVA=
--------------msF610480CE36E76CA36E68865--

home help back first fref pref prev next nref lref last post