Re: Security flaw in Count.cgi (wwwcount)

[benkovsk () PHA PVT CZ (Jaroslav Benkovsky)]

Razvan Dragomirescu wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Hi all,
>
> I have found a vulnerability in Muhammad A. Muquit's wwwcount version 2.3
> which allows remote users to read any GIF file on the server,
...

Temporary and very dirty fix is to apply something like

          case SHOW_GIF_FILE:
          {
+             PrintHeader();
+             StringImage("Images have been disabled");
+             exit(1);
+
              if (*digit_info.gif_file == '\0')
              {
                  PrintHeader();

to wwwcount2.3/main.c

(stupid, but maybe it helps to somebody). Btw, counter sources
are careless in many other cases.

I'm sorry if this seems stupid to you

                                        Edheldil