Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
From: neme-dhcHUSHMAIL.COM
Date: Mon May 07 2001 - 19:31:12 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

     [ Advisory for A1Stats ]
     [ A1Stats is made by Drummond Miles ]
     [ Site: http://www.gadnet.com/a1stats ]
     [ by nemesystm of the DHC ]
     [ (http://dhcorp.cjb.net - neme-dhchushmail.com) ]
     [ ADV-0114 ]

    A1Stats is a CGI package to track website traffic.
    The package has a view files bug and also gives the
    possibility to overwrite existing files.

    /-|=[who is vulnerable]=|-\
    Anyone using a A1Stats that was downloaded before

    /-|=[testing it]=|-\
    To test these vulnerabilities, try the following.
    These two will give you /etc/passwd.
    This will also give you /etc/passwd but it will
    show it in a very mangled manner as the CGI adds
    HTML tags to what it thinks is a file it created

    One can also open a file and wreck its contents.
    will empty a1admin.txt. a1admin.txt contains the
    password to change settings of the CGI. When this
    file is removed, no one can log in anymore.

    Downloading the latest version will solve this
    Free, encrypted, secure Web-based email at www.hushmail.com