|
|
|
|
| |
| Active Web Suite's Free Classified Ads Script is a decently written script, with numerous options and excellent configuration options that enables administrators to run a free classified ads system on their site. The product contains a privacy problem, where after installation is completed, possibly sensitive information is sent to back to Active Web Suite. |
| |
Credit:
The information has been provided by el_kab0ng.
|
| |
Upon successful run of the setup.cgi, unbeknownst to the user, an email is sent back to the activewebsuite.com personnel with what can be considered as sensitive information.
Technical Explanation
See the following source snippet:
---
sub registration_information {
open(MAIL, "|$mail_program -t") || die "Can't open $mail_program!\n";
print MAIL "To: registrations\@activewebsuite.com\n";
print MAIL "From: $admin_email\n";
print MAIL "Subject: FREE CLASSIFIEDS INSTALL: $ENV{'HTTP_HOST'}\n\n";
print MAIL<<EOF;
Site: $site_name
URL: $classifieds_script_url
Registration ID: $registration_id
Email: $admin_email
=====================================================================
ENVIRONMENT VARIABLES
=====================================================================
$ENV{'REMOTE_ADDR'}
$ENV{'HTTP_HOST'}
$ENV{'SERVER_SOFTWARE'}
$ENV{'HTTP_USER_AGENT'}
EOF
close (MAIL);
}
---
This would, obviously, produce something like the following results:
---
Site: [ example.com ]
URL: http://www. example.com/cgi-bin/suite/classifieds/classifieds.cgi
Registration ID: ######
Email: info@ example.com
=====================================================================
ENVIRONMENT VARIABLES
=====================================================================
127.0.0.1
www. example.com
Apache/1.3.11 BSafe-SSL/1.38 (Unix)
Mozilla/4.72 [en] (Windows NT 5.0; I)
---
Workaround:
You can remove the offending code, but it will make your warranty invalid. Furthermore, it will be also a copyright infringement.
Vendor response:
Active Web Suite Technologies responded quickly and acknowledged the fact that this may seem as a violation of privacy to some people.
They took action by notifying their clients, and have added a statement indicating that the registration information is forwarded to their support department during the installation process.
|
|
|
|
|
|
|
|
|
|
