Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Freestats.com CGI vulnerability

From: aviram () JENIK COM (Aviram Jenik)
Date: Tue, 24 Nov 1998 20:09:53 +0200

This is a cryptographically signed message in MIME format.

--------------ms24643F088FB251AF9CE4F8DE
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit

I believe they fixed it now. Or at least, they changed the perl script (to "stat2.pl"), changed the product to "site 
tracker" and changed the user logon screen.
So it looked like someone did get your messages after all (or someone there is reading bugtraq ;-)

John Carlton wrote:


About a year ago I developed an exploit for the free web stats services offered at freestats.com, and supplied the 
webmaster with proper code to patch the bug.  After hearing no reply, and seeing no fix in sight, I've decided to 
post it here.

Procedure:

Start an account with freestats.com, and log in.  Click on the area that says "CLICK HERE TO EDIT YOUR USER PROFILE & 
COUNTER INFO"  This will call up a file called edit.pl with your user # and password included in it.

Save this file to your hard disk and open it with notepad.  The only form of security in this is a hidden attribute 
on the form element of your account number.  Change this from *input type=hidden name=account value=your#* to *input 
type=text name=account value=""*  Save your page and load it into your browser.

Their will now be a text input box where the hidden element was before.  Simply type a # in and push the "click here 
to update user profile" and all the information that appears on your screen has now been written to that user profile.

But that isn't the worst of it.  By using frames (2 frames, one to hold this page you just made, and one as a target 
for the form submission) you could change the password on all of their accounts with a simple JavaScript function.

Any thoughts, questions, or comments?

John Carlton,
CompSec specialist.


--
-------------------------
Aviram Jenik

"Addicted to Chaos"

-------------------------
Today's quote:

I'm not into working out. My philosophy: No pain, no pain.
 - Carol Leifer


--------------ms24643F088FB251AF9CE4F8DE
Content-Type: application/x-pkcs7-signature; name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="smime.p7s"
Content-Description: S/MIME Cryptographic Signature

MIIJsgYJKoZIhvcNAQcCoIIJozCCCZ8CAQExCzAJBgUrDgMCGgUAMAsGCSqGSIb3DQEHAaCC
B7QwggR+MIID56ADAgECAhBZRb47ZhupcD6ihpa94vILMA0GCSqGSIb3DQEBBAUAMIHMMRcw
FQYDVQQKEw5WZXJpU2lnbiwgSW5jLjEfMB0GA1UECxMWVmVyaVNpZ24gVHJ1c3QgTmV0d29y
azFGMEQGA1UECxM9d3d3LnZlcmlzaWduLmNvbS9yZXBvc2l0b3J5L1JQQSBJbmNvcnAuIEJ5
IFJlZi4sTElBQi5MVEQoYyk5ODFIMEYGA1UEAxM/VmVyaVNpZ24gQ2xhc3MgMSBDQSBJbmRp
dmlkdWFsIFN1YnNjcmliZXItUGVyc29uYSBOb3QgVmFsaWRhdGVkMB4XDTk4MTEwNTAwMDAw
MFoXDTk5MTEwNTIzNTk1OVowggEPMRcwFQYDVQQKEw5WZXJpU2lnbiwgSW5jLjEfMB0GA1UE
CxMWVmVyaVNpZ24gVHJ1c3QgTmV0d29yazFGMEQGA1UECxM9d3d3LnZlcmlzaWduLmNvbS9y
ZXBvc2l0b3J5L1JQQSBJbmNvcnAuIGJ5IFJlZi4sTElBQi5MVEQoYyk5ODEeMBwGA1UECxMV
UGVyc29uYSBOb3QgVmFsaWRhdGVkMTMwMQYDVQQLEypEaWdpdGFsIElEIENsYXNzIDEgLSBO
ZXRzY2FwZSBGdWxsIFNlcnZpY2UxFTATBgNVBAMUDEF2aXJhbSBKZW5pazEfMB0GCSqGSIb3
DQEJARYQYXZpcmFtQGplbmlrLmNvbTBcMA0GCSqGSIb3DQEBAQUAA0sAMEgCQQDYQLAyYOrK
Rbmr9tVt+J+PzXxk3tP19qCI0kFflVr5S3true20nx+SGhhSQdBoftMDTwbS3aKrwTwcmbYf
j2ODAgMBAAGjggFdMIIBWTAJBgNVHRMEAjAAMIGvBgNVHSAEgacwgDCABgtghkgBhvhFAQcB
ATCAMCgGCCsGAQUFBwIBFhxodHRwczovL3d3dy52ZXJpc2lnbi5jb20vQ1BTMGIGCCsGAQUF
BwICMFYwFRYOVmVyaVNpZ24sIEluYy4wAwIBARo9VmVyaVNpZ24ncyBDUFMgaW5jb3JwLiBi
eSByZWZlcmVuY2UgbGlhYi4gbHRkLiAoYyk5NyBWZXJpU2lnbgAAAAAAADARBglghkgBhvhC
AQEEBAMCB4AwgYYGCmCGSAGG+EUBBgMEeBZ2ZDQ2NTJiZDYzZjIwNDcwMjkyOTg3NjNjOWQy
ZjI3NTA2OWM3MzU5YmVkMWIwNTlkYTc1YmM0YmM5NzAxNzQ3ZGE1Y2ZlZDE0MWJlYWRiMmJk
MmU4OTIxMmFmNmZmMWQyMTE0OTk4YTNiOTQ1ZjlmM2VhNDUwYzANBgkqhkiG9w0BAQQFAAOB
gQCz9zhChXKy/HRTsEmDxrpwWIGCRmVp+fENgsu5VW7hmn3Cj9MxPWjxduCt8wDtfYaLJENe
PqVj/xJ5hXiZVXgw9qtxKpCWOMmyUzlnQRu5H9APOqwH0x1Zv9YdYs09i38UojZ3efntM5Cb
fK1rgH8xvP6eDBhKnYd2Mn+y9ayp1DCCAy4wggKXoAMCAQICEQDSdi6NFAw9fbKoJV2v7g11
MA0GCSqGSIb3DQEBAgUAMF8xCzAJBgNVBAYTAlVTMRcwFQYDVQQKEw5WZXJpU2lnbiwgSW5j
LjE3MDUGA1UECxMuQ2xhc3MgMSBQdWJsaWMgUHJpbWFyeSBDZXJ0aWZpY2F0aW9uIEF1dGhv
cml0eTAeFw05ODA1MTIwMDAwMDBaFw0wODA1MTIyMzU5NTlaMIHMMRcwFQYDVQQKEw5WZXJp
U2lnbiwgSW5jLjEfMB0GA1UECxMWVmVyaVNpZ24gVHJ1c3QgTmV0d29yazFGMEQGA1UECxM9
d3d3LnZlcmlzaWduLmNvbS9yZXBvc2l0b3J5L1JQQSBJbmNvcnAuIEJ5IFJlZi4sTElBQi5M
VEQoYyk5ODFIMEYGA1UEAxM/VmVyaVNpZ24gQ2xhc3MgMSBDQSBJbmRpdmlkdWFsIFN1YnNj
cmliZXItUGVyc29uYSBOb3QgVmFsaWRhdGVkMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB
gQC7WkSKBBa7Vf0DeootlE8VeDa4DUqyb5xUv7zodyqdufBou5XZMUFweoFLuUgTVi3HCOGE
QqvAopKrRFyqQvCCDgLpL/vCO7u+yScKXbawNkIztW5UiE+HSr8Z2vkV6A+HthzjzMaajn9q
JJLj/OBluqexfu/J2zdqyErICQbkmQIDAQABo3wwejARBglghkgBhvhCAQEEBAMCAQYwRwYD
VR0gBEAwPjA8BgtghkgBhvhFAQcBATAtMCsGCCsGAQUFBwIBFh93d3cudmVyaXNpZ24uY29t
L3JlcG9zaXRvcnkvUlBBMA8GA1UdEwQIMAYBAf8CAQAwCwYDVR0PBAQDAgEGMA0GCSqGSIb3
DQEBAgUAA4GBAIi4Nzvd2pQ3AK2qn+GBAXEekmptL/bxndPKZDjcG5gMB4ZbhRVqD7lJhaSV
8Rd9Z7R/LSzdmkKewz60jqrlCwbe8lYq+jPHvhnXU0zDvcjjF7WkSUJj7MKmFw9dWBpJPJBc
VaNlIAD9GCDlX4KmsaiSxVhqwY0DPOvDzQWikK5uMYIBxjCCAcICAQEwgeEwgcwxFzAVBgNV
BAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQLExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMUYw
RAYDVQQLEz13d3cudmVyaXNpZ24uY29tL3JlcG9zaXRvcnkvUlBBIEluY29ycC4gQnkgUmVm
LixMSUFCLkxURChjKTk4MUgwRgYDVQQDEz9WZXJpU2lnbiBDbGFzcyAxIENBIEluZGl2aWR1
YWwgU3Vic2NyaWJlci1QZXJzb25hIE5vdCBWYWxpZGF0ZWQCEFlFvjtmG6lwPqKGlr3i8gsw
CQYFKw4DAhoFAKB9MBgGCSqGSIb3DQEJAzELBgkqhkiG9w0BBwEwHAYJKoZIhvcNAQkFMQ8X
DTk4MTEyNDE4MDk1NVowHgYJKoZIhvcNAQkPMREwDzANBggqhkiG9w0DAgIBKDAjBgkqhkiG
9w0BCQQxFgQUeSmJUe+ranqiklAo5Cqa7K0V+GkwDQYJKoZIhvcNAQEBBQAEQK//LXjpWA2Q
j1WvFMs36ncqkvL8kWcrT5SlII/NPW6kXBZe3jxFU9iBbIGCHJrFFAdSulGnj0DR2tiBO00L
+ZE=
--------------ms24643F088FB251AF9CE4F8DE--
Previous By Date Next
Previous By Thread Next

Current thread: