-- Banner rotating 01 -- --> Description: "Banner rotating 01" is a cgi script distributed for free on several site builder sites, including Hot Area. The script is available on http://www.hotarea.net/web/scripts/banner01/ The cgi script offers numerous functions for those wishing to manage rotating banners on their sites, including web based administration, unlimited advertisers, and statistics that keep track of exposures, click-throughs and the view-to-click ratio. The script requires Server Side Includes (SSI) support from the webserver. --> Affected sites: The Hot Area site mentions that the script has been downloaded 9345 times (as of 05/16/2000). A simple WebFerret search showed that scores of sites are affected with an exposed in-the-clear password file. --> The problem: A file called adpassword.txt is world readable as it is assigned the wrong permissions. This will allow a malicious attacker to read the contents of the file, to crack the DES encrypted password it contains (using a common-or-garden password cracker), and to edit banner entries,to add or to remove banners. --> Extracts of the manual with commentary: Note: The extracts below are taken from the manual, which is stored as an index.html in the same as the adpassword file and the .cgi scripts --cut-- Below are the files stored in the ads directory index.html - the manual ads.setup - the only file you need to change; ads.cgi - script to display correct advertiser; gotoad.cgi - script to direct links; admin.cgi - script to administrate your advertisers; adcount.txt - a file to keep track of which banner to display; adpassword.txt - password file for administration script; 01-03.jpg - demo images Advertiser.txt - sample data files Below are the permissions they want you to give your files ads.setup - 755 ads.cgi - 755 gotoad.cgi - 755 admin.cgi - 755 adcount.txt - 777 adpassword.txt - 777 Below is an explanation on how to use the admin.cgi tool Your password is currently set at admin. I suggest the first thing you do is to change it. Name - the name of the advertiser - DO NOT USE SPACES. Exposures - the number of exposures purchased. URL - the url that the banner should link to. Image URL - the url of the banner for the advertiser. Banner Text - the text that you want to appear below the banner. Font Size - the size of the text below the banner. Note: admin, when DES encrypted is "aaLR8vE.jjhss." 8 of the 10 web sites I reviewed did not change this password. Possible Countermeasures Delete the file. On Apache web servers, htaccess can be used to deny access to the file. --> This file was written by: Name: zillion Email: zillion@safemode.org Url: http://www.safemode.org Special thanks to Peter Thomas!