Statcounter Update.sh Workaround (ip2location Informations Leak)

The server where the backup’s log of the last three days are situated is badly set. The access for all directory by server is free, include “utils” directory that contains one script file called “update.sh” inside of which are situated the user and password to enter and download the database log from ip2location.com ~ excerpt from Giani Amoto

There is workaround for statcounter update.sh ip2location informations leak
check out this posts at kakkoi → Statcounter Update.sh Vulnerability Fixes

Quick workaround

add the following htaccess code in statcounter /utils/ directory.

#deny access to any file with *.sh filetypes
<Files ~ "^\.sh">
 Order allow,deny
 Deny from all
 Satisfy All
</Files>

#Deny request for *.log & comment files
<Files ~ "^.*\.([Ll][Oo][Gg]|[cC][oO][mM][mM][eE][nN][tT])">
 Order allow,deny
 Deny from all
 Satisfy All
</Files>
Advertisements

Leave a comment

Filed under statcounter, vulnerability

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s