lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Sat, 26 Jan 2008 13:26:20 +0100
From: "Gianni Amato" <guelfoweb@...il.com>
To: full-disclosure@...ts.grok.org.uk
Subject: Statcounter.com exposed credentials

DESCRIPTION

Statcounter.com is a popular (Page Rank: 9) web analytics services free and
payment for websites with more 250,000 pageloads per mounth.

VULNERABILITY

The server where the backup's log of the last three days are situated is bad
setted. The access for all directorys by server is free, incluse "utils"
directory that contains one script file called "update.sh" inside of which
are situated the user and password to enter and download the database  log
from ip2location.com

this is the path:

http://67.19.32.211/mc1.statcounter.com/utils/update.sh

25/01/08: i have comunicated the vulnerability to Statcounter and they  have
solved the problem forbidding the page and changing the  password.

Anyway i have found a old site contained the same information by a better
search, Google has still date into the Cache:

http://209.85.135.104/search?q=cache:www.sunmarklsa.com/mc1.statcounter.com/utils/update.sh

-- 
Gianni Amato aka guelfoweb
http://www.gianniamato.it/
guelfoweb@...il.com
GnuPG key id: 0x6227ACDF

Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ