Home / vulnerabilities statcounter-expose.txt
Posted on 28 January 2008
Source : packetstormsecurity.org Link
DESCRIPTION
Statcounter.com is a popular (Page Rank: 9) web analytics services free and
payment for websites with more 250,000 pageloads per mounth.
VULNERABILITY
The server where the backup's log of the last three days are situated is bad
setted. The access for all directorys by server is free, incluse "utils"
directory that contains one script file called "update.sh" inside of which
are situated the user and password to enter and download the database log
from ip2location.com
this is the path:
http://67.19.32.211/mc1.statcounter.com/utils/update.sh
25/01/08: i have comunicated the vulnerability to Statcounter and they have
solved the problem forbidding the page and changing the password.
Anyway i have found a old site contained the same information by a better
search, Google has still date into the Cache:
http://209.85.135.104/search?q=cache:www.sunmarklsa.com/mc1.statcounter.com/utils/update.sh
--
Gianni Amato aka guelfoweb
http://www.gianniamato.it/
guelfoweb@gmail.com
GnuPG key id: 0x6227ACDF
