This is a cryptographically signed message in MIME format. --------------msF610480CE36E76CA36E68865 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Naturally, just mili-seconds after I sent my last mail I saw that I was dead wrong. Apparantely, deep inside the web site they still have the good old "edit.pl" script. It takes some time to reach it (unlike the path you described) but you can reach it directly at: http://www.sitetracker.com/cgi-bin/edit.pl?account=&password= I just tested your exploit, and it seems to work nicely. John Carlton wrote: > About a year ago I developed an exploit for the free web stats services offered at freestats.com, and supplied the webmaster with proper code to patch the bug. After hearing no reply, and seeing no fix in sight, I've decided to post it here. > > Procedure: > > Start an account with freestats.com, and log in. Click on the area that says "CLICK HERE TO EDIT YOUR USER PROFILE & COUNTER INFO" This will call up a file called edit.pl with your user # and password included in it. > > Save this file to your hard disk and open it with notepad. The only form of security in this is a hidden attribute on the form element of your account number. Change this from *input type=hidden name=account value=your#* to *input type=text name=account value=""* Save your page and load it into your browser. > > Their will now be a text input box where the hidden element was before. Simply type a # in and push the "click here to update user profile" and all the information that appears on your screen has now been written to that user profile. > > But that isn't the worst of it. By using frames (2 frames, one to hold this page you just made, and one as a target for the form submission) you could change the password on all of their accounts with a simple JavaScript function. > > Any thoughts, questions, or comments? > > John Carlton, > CompSec specialist. -- ------------------------- Aviram Jenik "Addicted to Chaos" ------------------------- Today's quote: I'm not into working out. My philosophy: No pain, no pain. - Carol Leifer --------------msF610480CE36E76CA36E68865 Content-Type: application/x-pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" Content-Description: S/MIME Cryptographic Signature MIIJsgYJKoZIhvcNAQcCoIIJozCCCZ8CAQExCzAJBgUrDgMCGgUAMAsGCSqGSIb3DQEHAaCC B7QwggR+MIID56ADAgECAhBZRb47ZhupcD6ihpa94vILMA0GCSqGSIb3DQEBBAUAMIHMMRcw FQYDVQQKEw5WZXJpU2lnbiwgSW5jLjEfMB0GA1UECxMWVmVyaVNpZ24gVHJ1c3QgTmV0d29y azFGMEQGA1UECxM9d3d3LnZlcmlzaWduLmNvbS9yZXBvc2l0b3J5L1JQQSBJbmNvcnAuIEJ5 IFJlZi4sTElBQi5MVEQoYyk5ODFIMEYGA1UEAxM/VmVyaVNpZ24gQ2xhc3MgMSBDQSBJbmRp dmlkdWFsIFN1YnNjcmliZXItUGVyc29uYSBOb3QgVmFsaWRhdGVkMB4XDTk4MTEwNTAwMDAw MFoXDTk5MTEwNTIzNTk1OVowggEPMRcwFQYDVQQKEw5WZXJpU2lnbiwgSW5jLjEfMB0GA1UE CxMWVmVyaVNpZ24gVHJ1c3QgTmV0d29yazFGMEQGA1UECxM9d3d3LnZlcmlzaWduLmNvbS9y ZXBvc2l0b3J5L1JQQSBJbmNvcnAuIGJ5IFJlZi4sTElBQi5MVEQoYyk5ODEeMBwGA1UECxMV UGVyc29uYSBOb3QgVmFsaWRhdGVkMTMwMQYDVQQLEypEaWdpdGFsIElEIENsYXNzIDEgLSBO ZXRzY2FwZSBGdWxsIFNlcnZpY2UxFTATBgNVBAMUDEF2aXJhbSBKZW5pazEfMB0GCSqGSIb3 DQEJARYQYXZpcmFtQGplbmlrLmNvbTBcMA0GCSqGSIb3DQEBAQUAA0sAMEgCQQDYQLAyYOrK Rbmr9tVt+J+PzXxk3tP19qCI0kFflVr5S3true20nx+SGhhSQdBoftMDTwbS3aKrwTwcmbYf j2ODAgMBAAGjggFdMIIBWTAJBgNVHRMEAjAAMIGvBgNVHSAEgacwgDCABgtghkgBhvhFAQcB ATCAMCgGCCsGAQUFBwIBFhxodHRwczovL3d3dy52ZXJpc2lnbi5jb20vQ1BTMGIGCCsGAQUF BwICMFYwFRYOVmVyaVNpZ24sIEluYy4wAwIBARo9VmVyaVNpZ24ncyBDUFMgaW5jb3JwLiBi eSByZWZlcmVuY2UgbGlhYi4gbHRkLiAoYyk5NyBWZXJpU2lnbgAAAAAAADARBglghkgBhvhC AQEEBAMCB4AwgYYGCmCGSAGG+EUBBgMEeBZ2ZDQ2NTJiZDYzZjIwNDcwMjkyOTg3NjNjOWQy ZjI3NTA2OWM3MzU5YmVkMWIwNTlkYTc1YmM0YmM5NzAxNzQ3ZGE1Y2ZlZDE0MWJlYWRiMmJk MmU4OTIxMmFmNmZmMWQyMTE0OTk4YTNiOTQ1ZjlmM2VhNDUwYzANBgkqhkiG9w0BAQQFAAOB gQCz9zhChXKy/HRTsEmDxrpwWIGCRmVp+fENgsu5VW7hmn3Cj9MxPWjxduCt8wDtfYaLJENe PqVj/xJ5hXiZVXgw9qtxKpCWOMmyUzlnQRu5H9APOqwH0x1Zv9YdYs09i38UojZ3efntM5Cb fK1rgH8xvP6eDBhKnYd2Mn+y9ayp1DCCAy4wggKXoAMCAQICEQDSdi6NFAw9fbKoJV2v7g11 MA0GCSqGSIb3DQEBAgUAMF8xCzAJBgNVBAYTAlVTMRcwFQYDVQQKEw5WZXJpU2lnbiwgSW5j LjE3MDUGA1UECxMuQ2xhc3MgMSBQdWJsaWMgUHJpbWFyeSBDZXJ0aWZpY2F0aW9uIEF1dGhv cml0eTAeFw05ODA1MTIwMDAwMDBaFw0wODA1MTIyMzU5NTlaMIHMMRcwFQYDVQQKEw5WZXJp U2lnbiwgSW5jLjEfMB0GA1UECxMWVmVyaVNpZ24gVHJ1c3QgTmV0d29yazFGMEQGA1UECxM9 d3d3LnZlcmlzaWduLmNvbS9yZXBvc2l0b3J5L1JQQSBJbmNvcnAuIEJ5IFJlZi4sTElBQi5M VEQoYyk5ODFIMEYGA1UEAxM/VmVyaVNpZ24gQ2xhc3MgMSBDQSBJbmRpdmlkdWFsIFN1YnNj cmliZXItUGVyc29uYSBOb3QgVmFsaWRhdGVkMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB gQC7WkSKBBa7Vf0DeootlE8VeDa4DUqyb5xUv7zodyqdufBou5XZMUFweoFLuUgTVi3HCOGE QqvAopKrRFyqQvCCDgLpL/vCO7u+yScKXbawNkIztW5UiE+HSr8Z2vkV6A+HthzjzMaajn9q JJLj/OBluqexfu/J2zdqyErICQbkmQIDAQABo3wwejARBglghkgBhvhCAQEEBAMCAQYwRwYD VR0gBEAwPjA8BgtghkgBhvhFAQcBATAtMCsGCCsGAQUFBwIBFh93d3cudmVyaXNpZ24uY29t L3JlcG9zaXRvcnkvUlBBMA8GA1UdEwQIMAYBAf8CAQAwCwYDVR0PBAQDAgEGMA0GCSqGSIb3 DQEBAgUAA4GBAIi4Nzvd2pQ3AK2qn+GBAXEekmptL/bxndPKZDjcG5gMB4ZbhRVqD7lJhaSV 8Rd9Z7R/LSzdmkKewz60jqrlCwbe8lYq+jPHvhnXU0zDvcjjF7WkSUJj7MKmFw9dWBpJPJBc VaNlIAD9GCDlX4KmsaiSxVhqwY0DPOvDzQWikK5uMYIBxjCCAcICAQEwgeEwgcwxFzAVBgNV BAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQLExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMUYw RAYDVQQLEz13d3cudmVyaXNpZ24uY29tL3JlcG9zaXRvcnkvUlBBIEluY29ycC4gQnkgUmVm LixMSUFCLkxURChjKTk4MUgwRgYDVQQDEz9WZXJpU2lnbiBDbGFzcyAxIENBIEluZGl2aWR1 YWwgU3Vic2NyaWJlci1QZXJzb25hIE5vdCBWYWxpZGF0ZWQCEFlFvjtmG6lwPqKGlr3i8gsw CQYFKw4DAhoFAKB9MBgGCSqGSIb3DQEJAzELBgkqhkiG9w0BBwEwHAYJKoZIhvcNAQkFMQ8X DTk4MTEyNDE4MTQzMFowHgYJKoZIhvcNAQkPMREwDzANBggqhkiG9w0DAgIBKDAjBgkqhkiG 9w0BCQQxFgQUPQpG0fOA/cPoykXIASwBduk7JXYwDQYJKoZIhvcNAQEBBQAEQFYnlDTNMkjY WQbNJtIAAVRJ/Y/zcB2yuopF49qHXSsC9pXq9z5wCy2spMLxj6QUgyZdXEiyQVAUMBqQ3U2Y FVA= --------------msF610480CE36E76CA36E68865--
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:24:08 PDT