-- Banner rotating 01 --

--> Description:

"Banner rotating 01" is a cgi script distributed for free on several
site builder sites, including Hot Area. The script is available on
http://www.hotarea.net/web/scripts/banner01/ The cgi script offers
numerous functions for those wishing to manage rotating banners on their
sites, including web based administration, unlimited advertisers, and
statistics that keep track of exposures, click-throughs and the
view-to-click ratio. The script requires Server Side Includes (SSI)
support from the  webserver.

--> Affected sites:

The Hot Area site mentions that the script has been downloaded 9345
times (as of 05/16/2000). A simple WebFerret search showed that scores
of sites are affected with an exposed in-the-clear password file.

--> The problem:

A file called adpassword.txt is world readable as it is assigned the
wrong permissions. This will allow a malicious attacker to read the
contents of the file, to crack the DES encrypted password it contains
(using a common-or-garden password cracker), and to edit banner
entries,to add or to remove banners.

--> Extracts of the manual with commentary:

Note: The extracts below are taken from the manual, which is stored as
an index.html in the same as the  adpassword file and the .cgi scripts

    --cut--

  Below are the files stored in the ads directory

   index.html      - the manual
   ads.setup       - the only file you need to change;
   ads.cgi         - script to display correct advertiser;
   gotoad.cgi      - script to direct links;
   admin.cgi       - script to administrate your advertisers;
   adcount.txt     - a file to keep track of which banner to display;
   adpassword.txt  - password file for administration script;
   01-03.jpg       - demo images
   Advertiser.txt - sample data files

   Below are the permissions they want you to give your files

   ads.setup       - 755
   ads.cgi         - 755
   gotoad.cgi      - 755
   admin.cgi       - 755
   adcount.txt     - 777
   adpassword.txt  - 777

Below is an explanation on how to use the admin.cgi tool

  Your password is currently set at admin. I suggest the first thing you
do is to change it.
  Name        - the name of the advertiser - DO NOT USE SPACES.
  Exposures   - the number of exposures purchased.
  URL         - the url that the banner should link to.
  Image URL   - the url of the banner for the advertiser.
  Banner Text - the text that you want to appear below the banner.
  Font Size   - the size of the text below the banner.

  Note: admin, when DES encrypted is "aaLR8vE.jjhss." 8 of the 10 web
sites I reviewed did not change this  password.

Possible Countermeasures
Delete the file. On Apache web servers, htaccess can be used to deny
access to the file.

--> This file was written by:

    Name:   zillion
    Email:  zillion@safemode.org
    Url:    http://www.safemode.org

Special thanks to Peter Thomas!