Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security FullDisclosure
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[Full-disclosure] Statcounter.com exposed credentials

from [Gianni Amato] Network Security [Permanent Link]
Subject: [Full-disclosure] Statcounter.com exposed credentials
Date: Sat, 26 Jan 2008 13:26:20 +0100 
DESCRIPTION

Statcounter.com is a popular (Page Rank: 9) web analytics services free and
payment for websites with more 250,000 pageloads per mounth.

VULNERABILITY

The server where the backup's log of the last three days are situated is bad
setted. The access for all directorys by server is free, incluse "utils"
directory that contains one script file called "update.sh" inside of which
are situated the user and password to enter and download the database  log
from ip2location.com

this is the path:

http://67.19.32.211/mc1.statcounter.com/utils/update.sh

25/01/08: i have comunicated the vulnerability to Statcounter and they  have
solved the problem forbidding the page and changing the  password.

Anyway i have found a old site contained the same information by a better
search, Google has still date into the Cache:

http://209.85.135.104/search?q=cache:www.sunmarklsa.com/mc1.statcounter.com/utils/update.sh

-- 
Gianni Amato aka guelfoweb
http://www.gianniamato.it/
guelfoweb@gmail.com
GnuPG key id: 0x6227ACDF

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [Full-disclosure] Statcounter.com exposed credentials, Gianni Amato <=
Previous by Date:  Re: [Full-disclosure] Project Chanology, worried security
Next by Date:  Re: [Full-disclosure] Project Chanology, gmaggro
Previous by Thread:  [Full-disclosure] Prominent lack of scientology ubershit on FD?, cos
Next by Thread:  [Full-disclosure] Selling codes exploiting 0-days vulnerabilities, Gerrit-Jan Nieuwegein
Indexes:  [Date] [Thread] [Top] [All Lists]