Gianni Amato found a vulnerability in statcounter that can expose ip2location database log and account credentials.

The Vulnerability

The vulnerability exists in statcounters backup log inside utils directory where the file update.sh reside.

• googlecache: *.statcounter.com/utils/update.sh

Excerpt from Giani Amot:

The server where the backup’s log of the last three days are situated is badly set. The access for all directory by server is free, include “utils” directory that contains one script file called “update.sh” inside of which are situated the user and password to enter and download the database log from ip2location.com

Update.sh

cd /home/ip2location

/usr/bin/curl --data 'login=webmaster@statcounter.com&password=kOFr3VTh' 'http://www.ip2location.com/download.aspx?productcode=db6bin' > /home/ip2location/ipdb_current.bin.zip

rm /home/ip2location/ipdb_new.bin

unzip -p /home/ip2location/ipdb_current.bin.zip *.BIN > /home/ip2location/ipdb_new.bin

if [ "$?" -ne "0" ]; then

 echo "Sorry, new ip_db archive isn't valid!"

 exit 1

fi

mv /home/ip2location/ipdb_new.bin /home/ip2location/ipdb.bin

rm /home/ip2location/ipdb_current.bin.zip

/bin/cp /home/ip2location/ipdb.bin /mnt/rd/ipdb.bin

htaccess workaround

places the following .htaccess code inside statscounter /utils/ directory

#deny access to any file with *.sh filetypes
<Files ~ "^\.sh">
 Order allow,deny
 Deny from all
 Satisfy All
</Files>

#Deny request for *.log & comment files
<Files ~ "^.*\.([Ll][Oo][Gg]|[cC][oO][mM][mM][eE][nN][tT])">
 Order allow,deny
 Deny from all
 Satisfy All
</Files>

password protected directories

AuthType Basic
AuthName "restricted area"
AuthUserFile /usr/local/etc/.htpasswd-allusers
require valid-user

Note: You will need to change the AuthUserFile password file location depending on your server configurations.

External Resources

• Giani Amato → Se fossi tu a monitorare Statcounter.com?
• Giani Amato → Se fossi tu a monitorare Statcounter.com » English Translations