Full Disclosure mailing list archives
Statcounter.com exposed credentials
From: "Gianni Amato" <guelfoweb () gmail com>
Date: Sat, 26 Jan 2008 13:26:20 +0100
DESCRIPTION Statcounter.com is a popular (Page Rank: 9) web analytics services free and payment for websites with more 250,000 pageloads per mounth. VULNERABILITY The server where the backup's log of the last three days are situated is bad setted. The access for all directorys by server is free, incluse "utils" directory that contains one script file called "update.sh" inside of which are situated the user and password to enter and download the database log from ip2location.com this is the path: http://67.19.32.211/mc1.statcounter.com/utils/update.sh 25/01/08: i have comunicated the vulnerability to Statcounter and they have solved the problem forbidding the page and changing the password. Anyway i have found a old site contained the same information by a better search, Google has still date into the Cache: http://209.85.135.104/search?q=cache:www.sunmarklsa.com/mc1.statcounter.com/utils/update.sh -- Gianni Amato aka guelfoweb http://www.gianniamato.it/ guelfoweb () gmail com GnuPG key id: 0x6227ACDF
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Statcounter.com exposed credentials Gianni Amato (Jan 26)