Re: Banner Rotation 01

[joaop () PTM PT (Joao Pedro Gonçalves)]

This problem comes back from 'Advertiser' that is available from
http://dreamcatchersweb.com/scripts/
and documented in

(hhp) Advertiser advisory. (hhp)
http://www.attrition.org/security/advisory/hhp/hhp.008.ads-2

in fact, adpassword.txt is also 'admin' DES encrypted except that it is
documented
with different (but still insecure) permissions:

--cut--
The files included need to following permissions:
adcount.txt     a+rw or 666
adpassword.txt  a+rw or
666
--cut--

this is regarded in the advisory mentioned above.

rotating 01 seems to me like a ripoff without the copyright notices
present
in Advertiser, with the same security issues.

Joao Pedro Goncalves
PT Multimedia - www.sapo.pt

zillion wrote:
>                                                 -- Banner rotating 01 --
>
> --> Description:
>
> "Banner rotating 01" is a cgi script distributed for free on several
> site builder sites, including Hot Area. The script is available on
> http://www.hotarea.net/web/scripts/banner01/ The cgi script offers
> numerous functions for those wishing to manage rotating banners on their
> sites, including web based administration, unlimited advertisers, and
> statistics that keep track of exposures, click-throughs and the
> view-to-click ratio. The script requires Server Side Includes (SSI)
> support from the  webserver.
>
> --> Affected sites:
>
> The Hot Area site mentions that the script has been downloaded 9345
> times (as of 05/16/2000). A simple WebFerret search showed that scores
> of sites are affected with an exposed in-the-clear password file.
>
> --> The problem:
>
> A file called adpassword.txt is world readable as it is assigned the
> wrong permissions. This will allow a malicious attacker to read the
> contents of the file, to crack the DES encrypted password it contains
> (using a common-or-garden password cracker), and to edit banner
> entries,to add or to remove banners.
>
> --> Extracts of the manual with commentary:
>
> Note: The extracts below are taken from the manual, which is stored as
> an index.html in the same as the  adpassword file and the .cgi scripts
>
>     --cut--
>
>   Below are the files stored in the ads directory
>
>    index.html      - the manual
>    ads.setup       - the only file you need to change;
>    ads.cgi         - script to display correct advertiser;
>    gotoad.cgi      - script to direct links;
>    admin.cgi       - script to administrate your advertisers;
>    adcount.txt     - a file to keep track of which banner to display;
>    adpassword.txt  - password file for administration script;
>    01-03.jpg       - demo images
>    Advertiser.txt - sample data files
>
>    Below are the permissions they want you to give your files
>
>    ads.setup       - 755
>    ads.cgi         - 755
>    gotoad.cgi      - 755
>    admin.cgi       - 755
>    adcount.txt     - 777
>    adpassword.txt  - 777
>
> Below is an explanation on how to use the admin.cgi tool
>
>   Your password is currently set at admin. I suggest the first thing you
> do is to change it.
>   Name        - the name of the advertiser - DO NOT USE SPACES.
>   Exposures   - the number of exposures purchased.
>   URL         - the url that the banner should link to.
>   Image URL   - the url of the banner for the advertiser.
>   Banner Text - the text that you want to appear below the banner.
>   Font Size   - the size of the text below the banner.
>
>   Note: admin, when DES encrypted is "aaLR8vE.jjhss." 8 of the 10 web
> sites I reviewed did not change this  password.
>
> Possible Countermeasures
> Delete the file. On Apache web servers, htaccess can be used to deny
> access to the file.
>
> --> This file was written by:
>
>     Name:   zillion
>     Email:  zillion () safemode org
>     Url:    http://www.safemode.org
>
> Special thanks to Peter Thomas!

<HR NOSHADE>
<UL>
<LI>text/x-vcard attachment: Card for Joao Pedro Gon\alves
</UL>