COMMAND

    Freestats.com CGI

SYSTEMS AFFECTED

    Systems using Freestats.com CGIs

PROBLEM

    John Carlton  found following.   He developed  an exploit  for the
    free web stats services offered at freestats.com, and supplied the
    webmaster with proper code to patch the bug.

    Start an  account with  freestats.com, and  log in.   Click on the
    area that  says "CLICK  HERE TO  EDIT YOUR  USER PROFILE & COUNTER
    INFO" This will  call up a  file called edit.pl  with your user  #
    and password included in it.  Save this file to your hard disk and
    open it  with notepad.   The only  form of  security in  this is a
    hidden  attribute  on  the  form  element  of your account number.
    Change this from

        *input type=hidden name=account value=your#*

    to

        *input type=text name=account value=""*

    Save your page and load it into your browser.  Their will now be a
    text input box where the hidden element was before.  Simply type a
    # in and push the "click here to update user profile" and all  the
    information that appears  on your screen  has now been  written to
    that user profile.

    But that isn't the worst of it.  By using frames (2 frames, one to
    hold this page  you just made,  and one as  a target for  the form
    submission) you could change the password on all of their accounts
    with a simple JavaScript function.

    Deep inside the web site authors still have the good old "edit.pl"
    script. It takes some time to reach it (unlike the path described)
    but you can reach it directly at:

        http://www.sitetracker.com/cgi-bin/edit.pl?account=&password=

SOLUTION

    Nothing yet.