Bugtraq mailing list archives
Re: Banner Rotation 01
From: joaop () PTM PT (Joao Pedro Gonçalves)
Date: Wed, 17 May 2000 14:01:52 +0100
This problem comes back from 'Advertiser' that is available from http://dreamcatchersweb.com/scripts/ and documented in (hhp) Advertiser advisory. (hhp) http://www.attrition.org/security/advisory/hhp/hhp.008.ads-2 in fact, adpassword.txt is also 'admin' DES encrypted except that it is documented with different (but still insecure) permissions: --cut-- The files included need to following permissions: adcount.txt a+rw or 666 adpassword.txt a+rw or 666 --cut-- this is regarded in the advisory mentioned above. rotating 01 seems to me like a ripoff without the copyright notices present in Advertiser, with the same security issues. Joao Pedro Goncalves PT Multimedia - www.sapo.pt zillion wrote:
-- Banner rotating 01 -- --> Description: "Banner rotating 01" is a cgi script distributed for free on several site builder sites, including Hot Area. The script is available on http://www.hotarea.net/web/scripts/banner01/ The cgi script offers numerous functions for those wishing to manage rotating banners on their sites, including web based administration, unlimited advertisers, and statistics that keep track of exposures, click-throughs and the view-to-click ratio. The script requires Server Side Includes (SSI) support from the webserver. --> Affected sites: The Hot Area site mentions that the script has been downloaded 9345 times (as of 05/16/2000). A simple WebFerret search showed that scores of sites are affected with an exposed in-the-clear password file. --> The problem: A file called adpassword.txt is world readable as it is assigned the wrong permissions. This will allow a malicious attacker to read the contents of the file, to crack the DES encrypted password it contains (using a common-or-garden password cracker), and to edit banner entries,to add or to remove banners. --> Extracts of the manual with commentary: Note: The extracts below are taken from the manual, which is stored as an index.html in the same as the adpassword file and the .cgi scripts --cut-- Below are the files stored in the ads directory index.html - the manual ads.setup - the only file you need to change; ads.cgi - script to display correct advertiser; gotoad.cgi - script to direct links; admin.cgi - script to administrate your advertisers; adcount.txt - a file to keep track of which banner to display; adpassword.txt - password file for administration script; 01-03.jpg - demo images Advertiser.txt - sample data files Below are the permissions they want you to give your files ads.setup - 755 ads.cgi - 755 gotoad.cgi - 755 admin.cgi - 755 adcount.txt - 777 adpassword.txt - 777 Below is an explanation on how to use the admin.cgi tool Your password is currently set at admin. I suggest the first thing you do is to change it. Name - the name of the advertiser - DO NOT USE SPACES. Exposures - the number of exposures purchased. URL - the url that the banner should link to. Image URL - the url of the banner for the advertiser. Banner Text - the text that you want to appear below the banner. Font Size - the size of the text below the banner. Note: admin, when DES encrypted is "aaLR8vE.jjhss." 8 of the 10 web sites I reviewed did not change this password. Possible Countermeasures Delete the file. On Apache web servers, htaccess can be used to deny access to the file. --> This file was written by: Name: zillion Email: zillion () safemode org Url: http://www.safemode.org Special thanks to Peter Thomas!
<HR NOSHADE> <UL> <LI>text/x-vcard attachment: Card for Joao Pedro Gon\alves </UL>
Current thread:
- more majordomo brokeness, (continued)
- more majordomo brokeness Federico G. Schwindt (May 23)
- Re: more majordomo brokeness Richard Trott (May 31)
- I think Jay Mobley (May 23)
- Re: kscd vulnerability Katherine M. Moussouris (May 25)
- Cisco Bug Esteve Espuna (May 16)
- Re: Cisco Bug James Sneeringer (May 16)
- Security Bulletins Digest (fwd) Mike Bush (May 17)
- Cisco Bug Error Log Esteve Espuna (May 16)
- CProxy v3.3 SP 2 DoS |[TDP]| (May 16)
- Banner Rotation 01 zillion (May 16)
- Re: Banner Rotation 01 Joao Pedro Gonçalves (May 17)
- Vuln in calender.pl (Matt Kruse calender script) suid () SUID KG (May 16)
- Various Lame Stuff wizdumb () LEET ORG (May 16)
- You can now track Bugtraq 24/7 with Software. Alfred Huger (May 15)
- Allmanage.pl Vulnerabilities bighawk (May 15)