Vulnerability

    Mediahouse Statistics Server

Affected

    Mediahouse Statistics Server v4.28 & 5.01

Description

    Per Bergehed  posted following.   His colleague  found a  security
    flaw in Mediahouse Statistics Server.  A more detailed description
    of the flaw can be found at

        http://w1.855.telia.com/~u85513179/index.html

    There  is  an  "unchecked  buffer"  in the webinterface for remote
    administration  of  Statistics  Server.   For example, Mediahouses
    own live demo page at http://stats.mhstats.com/_938425738_/    The
    "server  ID"  login  page  can  be  used  for an "buffer overflow"
    attack.   The input  field is  only validated  on the  client side
    (webbrowser).  This is easy to circumvent.  The second flaw is the
    configuration  file  (ss.cfg)  which  contains  the  administrator
    password in clear-text!

    To exploit this, use your personal "favourite tool" to send  >3773
    characters into the Statistics Server  and it will generate a  "Dr
    Watson"!   There is  a "brain.ini"  file for  the Retina  security
    scanner on description site.

    If you have plans to write an exploit you might find this  useful:
    Statistics Server v 4.28 will "jump" to the address "65656565"  if
    you send a couple of 'a's..

Solution

    Hopefully Mediahouse will publish a fix soon..  Workarounds:

        1. Restrict access to Statistics Server in your firewall.
        2. Run the Statistics Server service under a user account with
           lower privileges.
        3. Set proper ACLs on the configuration file:
               "C:\StatisticsServer\ss.cfg".
        4. Don't open up your firewall until a fix is released!!