Freestats.com CGI vulnerability

[techhelp () ROCKETMAIL COM (John Carlton)]

About a year ago I developed an exploit for the free web stats services offered at freestats.com, and supplied the 
webmaster with proper code to patch the bug.  After hearing no reply, and seeing no fix in sight, I've decided to post 
it here.

Procedure:

Start an account with freestats.com, and log in.  Click on the area that says "CLICK HERE TO EDIT YOUR USER PROFILE & 
COUNTER INFO"  This will call up a file called edit.pl with your user # and password included in it.

Save this file to your hard disk and open it with notepad.  The only form of security in this is a hidden attribute on 
the form element of your account number.  Change this from *input type=hidden name=account value=your#* to *input 
type=text name=account value=""*  Save your page and load it into your browser.

Their will now be a text input box where the hidden element was before.  Simply type a # in and push the "click here to 
update user profile" and all the information that appears on your screen has now been written to that user profile.

But that isn't the worst of it.  By using frames (2 frames, one to hold this page you just made, and one as a target 
for the form submission) you could change the password on all of their accounts with a simple JavaScript function.

Any thoughts, questions, or comments?

John Carlton,
CompSec specialist.