COMMAND

    "Banner rotating 01"

SYSTEMS AFFECTED

    "Banner rotating 01"

PROBLEM

    'zillion' found following.  "Banner  rotating 01" is a cgi  script
    distributed for free on several site builder sites, including  Hot
    Area.  The script is available on

        http://www.hotarea.net/web/scripts/banner01/

    The  cgi  script  offers  numerous  functions for those wishing to
    manage  rotating  banners  on  their  sites,  including  web based
    administration, unlimited  advertisers, and  statistics that  keep
    track of  exposures, click-throughs  and the  view-to-click ratio.
    The script requires  Server Side Includes  (SSI) support from  the
    webserver.

    The Hot  Area site  mentions that  the script  has been downloaded
    9345 times (as of 05/16/2000).   A simple WebFerret search  showed
    that scores  of sites  are affected  with an  exposed in-the-clear
    password file.

    A file called adpassword.txt is  world readable as it is  assigned
    the wrong permissions.   This will allow  a malicious attacker  to
    read the contents of the file, to crack the DES encrypted password
    it contains  (using a  common-or-garden password  cracker), and to
    edit banner entries,to add or to remove banners.

    Note:  The  extracts  below  are  taken  from the manual, which is
    stored as  an index.html  in the  same as  the adpassword file and
    the .cgi scripts

        --cut--

        Below are the files stored in the ads directory

        index.html      - the manual
        ads.setup       - the only file you need to change;
        ads.cgi         - script to display correct advertiser;
        gotoad.cgi      - script to direct links;
        admin.cgi       - script to administrate your advertisers;
        adcount.txt     - a file to keep track of which banner to display;
        adpassword.txt  - password file for administration script;
        01-03.jpg       - demo images
        Advertiser.txt - sample data files

        Below are the permissions they want you to give your files

        ads.setup       - 755
        ads.cgi         - 755
        gotoad.cgi      - 755
        admin.cgi       - 755
        adcount.txt     - 777
        adpassword.txt  - 777

    Below is an explanation on how to use the admin.cgi tool

        Your password is currently set  at admin. I suggest the  first
        thing you do is to change it.

        Name        - the name of the advertiser - DO NOT USE SPACES.
        Exposures   - the number of exposures purchased.
        URL         - the url that the banner should link to.
        Image URL   - the url of the banner for the advertiser.
        Banner Text - the text that you want to appear below the banner.
        Font Size   - the size of the text below the banner.

    Note: admin, when DES encrypted  is "aaLR8vE.jjhss."  8 of  the 10
    web sites reviewed did not change this  password.

SOLUTION

    Delete the file.  On Apache  web servers, htaccess can be used  to
    deny access to the file.

    This problem comes back from 'Advertiser' that is available from

        http://dreamcatchersweb.com/scripts/

    and documented in

        http://www.attrition.org/security/advisory/hhp/hhp.008.ads-2

    in fact, adpassword.txt is also 'admin' DES encrypted except  that
    it is documented with different (but still insecure) permissions:

        The files included need to following permissions:
        adcount.txt     a+rw or 666
        adpassword.txt  a+rw or 666

    this is  regarded in  the advisory  mentioned above.   Rotating 01
    seems to be  like a ripoff  without the copyright  notices present
    in Advertiser, with the same security issues.