Statcounter Update.sh Vulnerability Fixes

    • Jan
    • 27

    Statcounter Update.sh Vulnerability Fixes

    Posted by chaoskaizer.myopenid.com 8 months, 2 weeks ago.

    Filed under Security & vulnerability.

    Gianni Amato found a vulnerability in statcounter that can expose ip2location database log and account credentials.

    The Vulnerability

    The vulnerability exists in statcounters backup log inside utils directory where the file update.sh reside.


    Excerpt from Giani Amot:

    The server where the backup’s log of the last three days are situated is badly set. The access for all directory by server is free, include “utils” directory that contains one script file called “update.sh” inside of which are situated the user and password to enter and download the database log from ip2location.com

    Update.sh

    cd /home/ip2location

/usr/bin/curl --data 'login=webmaster@statcounter.com&password=kOFr3VTh' 'http://www.ip2location.com/download.aspx?productcode=db6bin' > /home/ip2location/ipdb_current.bin.zip

rm /home/ip2location/ipdb_new.bin

unzip -p /home/ip2location/ipdb_current.bin.zip *.BIN > /home/ip2location/ipdb_new.bin

if [ "$?" -ne "0" ]; then

 echo "Sorry, new ip_db archive isn't valid!"

 exit 1

fi

mv /home/ip2location/ipdb_new.bin /home/ip2location/ipdb.bin

rm /home/ip2location/ipdb_current.bin.zip

/bin/cp /home/ip2location/ipdb.bin /mnt/rd/ipdb.bin

    htaccess workaround

    places the following .htaccess code inside statscounter /utils/ directory

    #deny access to any file with *.sh filetypes
<Files ~ "^\.sh">
 Order allow,deny
 Deny from all
 Satisfy All
</Files>

#Deny request for *.log & comment files
<Files ~ "^.*\.([Ll][Oo][Gg]|[cC][oO][mM][mM][eE][nN][tT])">
 Order allow,deny
 Deny from all
 Satisfy All
</Files>

    password protected directories

    AuthType Basic
AuthName "restricted area"
AuthUserFile /usr/local/etc/.htpasswd-allusers
require valid-user

    Note: You will need to change the AuthUserFile password file location depending on your server configurations.

    External Resources

    About the Author

     

    Tags:
    • January 27, 2008 at 1:11 pm
    • February 3, 2008 at 11:48 am
    • 0.3
    • url

    • No Responses to Statcounter Update.sh Vulnerability Fixes

      Trackback URL: Use the TrackBack url ↑ to ping this article. If your blog does not support Trackbacks you might want to leave a comment instead.
        • RE: Statcounter Update.sh Vulnerability Fixes - 'The Guide' ↓
          Statcounter Update.sh Vulnerability Fixes Kakkoi 8 months, 2 weeks ago 5 url
          Marvin, Point of View Gun

          The following "Code" are designed to protect you and other users of this site.

          • Be relevant: Your comment should be a thoughtful contribution to the subject of the entry. Keep your comments constructive and polite.
          • No advertising or spamming: Do not use the comment feature to promote commercial entities/products, affiliates services or websites. You are allowed to post a link as long as it's relevant to the entry.
          • Keep within the law: Do not link to offensive or illegal content websites. Do not make any defamatory or disparaging comments which might damage the reputation of a person or organisation.
          • Privacy: Do not post any personal information relating to yourself or anyone else - (ie: address, place of employment, telephone or mobile number or email address).

          In order to keep these experiences enjoyable and interesting for all of our users, we ask that you follow the above guidlines.

          be the first to comment.

          KakkoiFeel free to engage, ask questions, and tell us what you are thinking! Regular and insightful comments are most welcomed.

           

    "write as if you were talking to a good friend (in front of your mother)."

    .haveyoursay

    Disclaimer: For any content that you post, you hereby grant to Kakkoi the royalty-free, irrevocable, perpetual, exclusive and fully sublicensable license to use, reproduce, modify, adapt, publish, translate, create derivative works from, distribute, perform and display such content in whole or in part, world-wide and to incorporate it in other works, in any form, media or technology now known or later developed. Some rights reserved.

MySQL query error