[prev in list] [next in list] [prev in thread] [next in thread]
List: bugtraq
Subject: Re: Freestats.com CGI vulnerability
From: Aviram Jenik <aviram () JENIK ! COM>
Date: 1998-11-24 18:14:29
[Download RAW message or body]
Naturally, just mili-seconds after I sent my last mail I saw that I was dead wrong.
Apparantely, deep inside the web site they still have the good old "edit.pl" script. \
It takes some time to reach it (unlike the path you described) but you can reach it \
directly at: http://www.sitetracker.com/cgi-bin/edit.pl?account=&password=
I just tested your exploit, and it seems to work nicely.
John Carlton wrote:
> About a year ago I developed an exploit for the free web stats services offered at \
> freestats.com, and supplied the webmaster with proper code to patch the bug. After \
> hearing no reply, and seeing no fix in sight, I've decided to post it here.
> Procedure:
>
> Start an account with freestats.com, and log in. Click on the area that says \
> "CLICK HERE TO EDIT YOUR USER PROFILE & COUNTER INFO" This will call up a file \
> called edit.pl with your user # and password included in it.
> Save this file to your hard disk and open it with notepad. The only form of \
> security in this is a hidden attribute on the form element of your account number. \
> Change this from *input type=hidden name=account value=your#* to *input type=text \
> name=account value=""* Save your page and load it into your browser.
> Their will now be a text input box where the hidden element was before. Simply \
> type a # in and push the "click here to update user profile" and all the \
> information that appears on your screen has now been written to that user profile.
> But that isn't the worst of it. By using frames (2 frames, one to hold this page \
> you just made, and one as a target for the form submission) you could change the \
> password on all of their accounts with a simple JavaScript function.
> Any thoughts, questions, or comments?
>
> John Carlton,
> CompSec specialist.
--
-------------------------
Aviram Jenik
"Addicted to Chaos"
-------------------------
Today's quote:
I'm not into working out. My philosophy: No pain, no pain.
- Carol Leifer
["smime.p7s" (application/x-pkcs7-signature)]
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic