Full Disclosure mailing list archives

Statcounter.com exposed credentials


From: "Gianni Amato" <guelfoweb () gmail com>
Date: Sat, 26 Jan 2008 13:26:20 +0100

DESCRIPTION

Statcounter.com is a popular (Page Rank: 9) web analytics services free and
payment for websites with more 250,000 pageloads per mounth.

VULNERABILITY

The server where the backup's log of the last three days are situated is bad
setted. The access for all directorys by server is free, incluse "utils"
directory that contains one script file called "update.sh" inside of which
are situated the user and password to enter and download the database  log
from ip2location.com

this is the path:

http://67.19.32.211/mc1.statcounter.com/utils/update.sh

25/01/08: i have comunicated the vulnerability to Statcounter and they  have
solved the problem forbidding the page and changing the  password.

Anyway i have found a old site contained the same information by a better
search, Google has still date into the Cache:

http://209.85.135.104/search?q=cache:www.sunmarklsa.com/mc1.statcounter.com/utils/update.sh

-- 
Gianni Amato aka guelfoweb
http://www.gianniamato.it/
guelfoweb () gmail com
GnuPG key id: 0x6227ACDF
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Current thread: