(hhp) Webadverts advisory. (hhp)
                   hhp-ADV#6 by: loophole
                      hhp@hhp.perlx.com
                   11/3/99 3:21:53pm CST.
---------------------------------------------------------------------
     Alright,  to  my  knowledge,  there is a problem with WebAdverts
which is available at http://awsd.com/scripts/webadverts to download.
     The  problem  is  based  on  file/directory permissions and lazy
programming.  The software contains the following note to its users:

'GENERAL SECURITY NOTE:
The directory containing your data files should be password-protected
or (better yet) should be located somewhere inaccessible to browsers.
You  probably  don't  want  random  passers-by snooping about in your
advertisers' or exchange members' data.  This is especially important
if  you're  running an exchange in which members can update their own
information,  as  if  someone  can read the data files, they can read
the individual members' passwords, as well.'

     As  we all know, this could be done from inside the software and
set  by  _defualt_.  But  it's  not.  What  _is_ set by defualt is...

Filename        - Mode
----------------------
ads.setup       - 755
ads.cgi         - 755
gotoad.cgi      - 755
admin.cgi       - 755
adcount.txt     - 777
adpassword.txt  - 777 

Which is not a pretty site.  None the less the default Administration
password  is set to 'admin', which then the software has a suggestion
that you may want to change it.
     I  think the biggest problem is in adpassword.txt which contains
a crypt(3) password that is easily crackable via 'john the ripper' or
other  standard  DES password crackers.  Which then the cracker could
access admin.cgi and change the database, passwords, or banners(Not a
pretty site).
     I  think  the  easiest  way  to  fix  this, is for the AdsAdvert
programmers  to touch up on the security side of thier software or to
change the default permissions.
-hhp-2t0-------------------------------------------------------------