Statcounter Update.sh Vulnerability Fixes

chaoskaizer.myopenid.com — Sun, 27 Jan 2008 13:11:46 +0000

Gianni Amato found a vulnerability in statcounter that can expose ip2location database log and account credentials.

The Vulnerability

The vulnerability exists in statcounters backup log inside utils directory where the file update.sh reside.

googlecache: *.statcounter.com/utils/update.sh

Excerpt from Giani Amot:

The server where the backup’s log of the last three days are situated is badly set. The access for all directory by server is free, include “utils” directory that contains one script file called “update.sh” inside of which are situated the user and password to enter and download the database log from ip2location.com

Update.sh

cd /home/ip2location

/usr/bin/curl --data 'login=webmaster@statcounter.com&password=kOFr3VTh' 'http://www.ip2location.com/download.aspx?productcode=db6bin' > /home/ip2location/ipdb_current.bin.zip

rm /home/ip2location/ipdb_new.bin

unzip -p /home/ip2location/ipdb_current.bin.zip *.BIN > /home/ip2location/ipdb_new.bin

if [ "$?" -ne "0" ]; then

 echo "Sorry, new ip_db archive isn't valid!"

 exit 1

fi

mv /home/ip2location/ipdb_new.bin /home/ip2location/ipdb.bin

rm /home/ip2location/ipdb_current.bin.zip

/bin/cp /home/ip2location/ipdb.bin /mnt/rd/ipdb.bin

htaccess workaround

places the following .htaccess code inside statscounter /utils/ directory

#deny access to any file with *.sh filetypes

 Order allow,deny
 Deny from all
 Satisfy All


#Deny request for *.log & comment files

 Order allow,deny
 Deny from all
 Satisfy All

password protected directories

AuthType Basic
AuthName "restricted area"
AuthUserFile /usr/local/etc/.htpasswd-allusers
require valid-user

Note: You will need to change the AuthUserFile password file location depending on your server configurations.

External Resources

How to block Google Wireless Transcoder

Noah Ark — Sat, 29 Dec 2007 07:11:19 +0000

When Google Wireless Transcoder (GWT, Googlebot-mobile) translate your website it strip all “scripts” and render it in mobile format (XHTML mobile 1.0)Google version of “Mobile format”. To test this services go to http://google.com/gwt/n. GWT services is actually made for mobile-user but you can still surf with normal browser.

So what the heck wrong with it

The answer is Yes & No. This type of services is bad for webmaster that depend on ads income. Otherwise Normal Surfer would love this services as they wont need to view any ads and surf safely without “javascript embed” (from the originating website).

How to Block Googlebot Mobile Crawler

These are some server environment variables for Google Wireless Transcoder

USER_AGENT: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; Google Wireless Transcoder;)
HTTP_VIA: 1.1 proxy.google.com:80 (squid)
HTTP_X_FORWARDED_FOR: xxx.xx.xxx.xxx, unknown
REMOTE_ADDR: 209.85.138.136
REMOTE_PORT: 56931

block via .htaccess

with mod_setenvif


SetEnvIfNoCase User-Agent "^Google\ Wireless\ Transcoder*" gwt_agent=1
SetEnvIfNoCase User-Agent "^Googlebot-Mobile*" gwt_agent=1

Order Allow,Deny
Allow from all
Deny from env=gwt_agent

or with mod_rewrite


RewriteEngine On
RewriteCond %{HTTP_USER_AGENT} ^Google\ Wireless\ Transcoder [OR]
RewriteCond %{HTTP_USER_AGENT} ^Googlebot-Mobile
RewriteRule ^.* - [F,L]

Robots Exclusion Standards

User-agent: Googlebot-Mobile
Disallow: /

Google Webmaster Analyze robots.txt

After you add the above robot.txt code login to your Google Webmaster Central.

Select Tools > Analyze robots.txt
Select Google Mobile : Crawls page for our mobile index on “user-agents dropdown list”.

Embed HTML Meta Link header

Google Support

If you want to prevent Google Mobile services from transcoding your page its recommended to request for removal via Google Mobile Support form.

Soap

If google-mobile can restrict this services for mobile only view or maybe implement something like “duggmirror” for normal browsing, it would be welcome.

Kakkoi » htaccess