That post talks about another security problem resulting of the bad interaction between two different applications. The current problem is that the ftp address with the login name and password of your web site can be viewable by anybody on the Internet in a specific situation.
How it happened?
I am using the AceFTP software to connect to the ftp of my website’s server. It is a really nice ftp software. One of the useful features is that you have the possibility to view a file (text, image or webpage) in an embedded web browser. Then if you click on your index.htm file, you will see it instantly into the browser; it is really useful when you do not remember what a specific file was.
I am also using StatCounter as my web site statistic application. I already talked about that beautiful service before. You only have to put a little JavaScript code on one of you webpage, and it will record the entry and exit pages of your visitors.
Now you wander what is the problem?
The problem exists when one of the feature of AceFTP and another one of StatCounter interact together:
- The preview feature of AceFTP
- And the possibility to put your statistics public with StatCounter
Note: you need to have in mind that this security problem can be possible with other ftp client softwares that have the same feature and any other web site statistics services that broadcast the stats publicly. I get AceFTP and StatCounter in my example because it is with them that I discovered the problem.
You see the problem coming? When I check a file that contains the JavaScript code of StatCounter in the “embedded browser”, the code on that page is then executed by the ftp client software. Then the visit will be recorded by StatCounter. The problem is that the entry page that StatCounter will show will be something like that:
Then if the public statistics of your StatCounter account is at “on”, then anybody can have access to the ftp server of your web site.
Demonstration
- I check one of my file containing the StatCounter’s JavaScript code with my ftp client software
- Then I check my stats
How can we fix the problem?
- Web services like StatCounter could check for the patterns: “* : * @ *”, then hiding them. It is exactly what Bloglines had done when I discovered a problem like this one with their web application.
- You could use another option of StatCounter that enable you to ignore the visits that come from your IP address. Then if StatCounter ignore your visits, such activities will not be the recorded.
- You could simply stop using the preview feature of AceFTP.
Conclusion
My conclusion is that same as the one I wrote for the Bloglines’ problem with the RSS feed: This experience is a good example of the potential security treats that can appears when more than one system start to interact together.
Technorati: security | statcounter | aceftp | ftp | flaw | hack |