CVE-2011-2153

Name of the Vulnerable Software and Affected Versions SmarterTools SmarterStats version 6.0

Description The issue allows context-dependent attackers to discover credentials by reading web-server access logs, web-server Referer logs, or the browser history, due to the support of URLs containing txtUser and txtPass parameters in the query string in the Login.aspx page. This is related to a "cross-domain Referer leakage" issue.

Recommendations For SmarterTools SmarterStats version 6.0, consider restricting access to the Login.aspx page to minimize the risk of exploitation, and avoid using the txtUser and txtPass parameters in the query string until the issue is resolved.