(hhp) Advertiser advisory. (hhp) hhp-ADV#8 by: loophole hhp@hhp.perlx.com 11/7/99 3:19:16am CST. --------------------------------------------------------------------- Alright, to my knowledge, there is a problem with a piece of software named 'Advertiser', alot like 'Webadverts' which is metioned in hhp-ADV#6(hhp-ads.txt). You can download this software at URL: http://dreamcatchersweb.com/scripts/ The problem is based on default file/directory permissions via bad instalation steps. The following text comes from the readme file in the software at step 16.2: 'The files included need to following permissions: adcount.txt a+rw or 666 adpassword.txt a+rw or 666 ad.cgi a+rx or 755 gotoad.cgi a+rx or 755 admin.cgi a+rx or 755' also on step 22.1: 'Your password is currently set at "admin".' A big problem is in adpassword.txt which contains a crypt(3) password that is easily crackable via 'john the ripper' or other standard DES password crackers. Which then the cracker could access admin.cgi and change the database, passwords, or anything he choses. I think the easiest way to fix this, is for the software programmers to touch up on the security side of thier software and to change the default permissions in the readme file. -hhp-2t0-------------------------------------------------------------