'Re: Freestats.com CGI vulnerability'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       bugtraq
Subject:    Re: Freestats.com CGI vulnerability
From:       Aviram Jenik <aviram () JENIK ! COM>
Date:       1998-11-24 18:14:29
[Download RAW message or body]


Naturally, just mili-seconds after I sent my last mail I saw that I was dead wrong.
Apparantely, deep inside the web site they still have the good old "edit.pl" script. \
It takes some time to reach it (unlike the path you described) but you can reach it \
directly at: http://www.sitetracker.com/cgi-bin/edit.pl?account=&password=

I just tested your exploit, and it seems to work nicely.

John Carlton wrote:

> About a year ago I developed an exploit for the free web stats services offered at \
> freestats.com, and supplied the webmaster with proper code to patch the bug.  After \
> hearing no reply, and seeing no fix in sight, I've decided to post it here. 
> Procedure:
> 
> Start an account with freestats.com, and log in.  Click on the area that says \
> "CLICK HERE TO EDIT YOUR USER PROFILE & COUNTER INFO"  This will call up a file \
> called edit.pl with your user # and password included in it. 
> Save this file to your hard disk and open it with notepad.  The only form of \
> security in this is a hidden attribute on the form element of your account number.  \
> Change this from *input type=hidden name=account value=your#* to *input type=text \
> name=account value=""*  Save your page and load it into your browser. 
> Their will now be a text input box where the hidden element was before.  Simply \
> type a # in and push the "click here to update user profile" and all the \
> information that appears on your screen has now been written to that user profile. 
> But that isn't the worst of it.  By using frames (2 frames, one to hold this page \
> you just made, and one as a target for the form submission) you could change the \
> password on all of their accounts with a simple JavaScript function. 
> Any thoughts, questions, or comments?
> 
> John Carlton,
> CompSec specialist.

--
-------------------------
Aviram Jenik

"Addicted to Chaos"

-------------------------
Today's quote:

I'm not into working out. My philosophy: No pain, no pain.
 - Carol Leifer


["smime.p7s" (application/x-pkcs7-signature)]

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic