Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!

TUCoPS :: Web :: Adminware, Control Panels :: a1stat~1.htm

A1Stats CGI view files, overwrite files bug



    Anyone using a A1Stats that was downloaded before 24/04/01


    nemesystm of the  DHC found following.   A1Stats is a  CGI package
    to track website traffic.   The package has a  view files bug  and
    also gives the possibility to overwrite existing files.

    To test these vulnerabilities, try the following:

    These two will give you /etc/passwd:

    This will also give you /etc/passwd but it will show it in a  very
    mangled manner as the  CGI adds HTML tags  to what it thinks  is a
    file it created itself.

    One can also open a file and wreck its contents:


    will  empty  a1admin.txt.   a1admin.txt  contains  the password to
    change settings of  the CGI.   When this file  is removed, no  one
    can log in anymore.


    Downloading the latest version will solve this problem.

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2015 AOH