Bugtraq mailing list archives

wwwthreads discussion forum security holes

From: jkwilli2 () UNITY NCSU EDU (Ken Williams)
Date: Tue, 8 Sep 1998 10:16:31 -0400


-----BEGIN PGP SIGNED MESSAGE-----

Hi,

     The WWW Threads discussion forum software,
http://www.screamingweb.com/wwwthreads/
has several security holes and coding weaknesses.  When running the install
script, the data directories are created in a publicly accessible area.
The install instructions direct the user to create the data directory in
a publicly accessible directory under "html" or "public_html" also.
The data directories contain, among other things, administrator and user
logins and passwords.  These passwords are written to files in plaintext,
and the files can easily be viewed and/or downloaded by anyone with a web
browser.  As far as I can tell, there is no error or bounds checking in the
administrative cgi scripts either, so exploit code can easily be executed
remotely once the plaintext passwords are retrieved.

All platforms using these scripts are affected.

Suggested fixes:

1) move the data directories to non-publicly accessible area and correct
   the appropriate lines in the cgi scripts.

2) remove all (g) and (o) permissions to prevent local exploit.

3) use the UNIX crypt() function or something similar to encode passwords
   written to files.

4) add a "referer" variable to the cgi scripts so commands can only be
   executed on local server that has WWW Threads installed.


There are many other bugs in the WWW Threads scripts, so my personal
suggestion is to use another discussion forum script or roll your own
until these problems are fixed.

These bugs and security holes are present in the latest bugfix release of
WWW Threads (wwwthreads v2.7.3), and all earlier releases that I have
checked (2.6.* and 2.7.*).

The author, rbaker () screamingweb com, was notified of these problems on
Sat, 15 Aug 1998.


Regards,

Ken Williams

Packet Storm Security http://www.Genocide2600.com/~tattooman/index.shtml
E.H.A.P. Corporation  http://www.ehap.org/  ehap () ehap org info () ehap org
NCSU Comp Sci Dept    http://www.csc.ncsu.edu/ jkwilli2 () adm csc ncsu edu
PGP DSS/DH/RSA Keys   http://www.genocide2600.com/cgi-bin/finger?tattooman

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 5.0i for non-commercial use
Charset: noconv

iQEVAwUBNfU8NJDw1ZsNz1IXAQGWGQf9G2H75y1h40mjvmKl56o6ukaduo7b3y7A
wFS+/K5mjWmUoN5ju4GvdPs/2nr5oGR9BuXKlhRCY5+xKQFounkScdTpFBRf/dla
+ke0RpXCmje13BVqEKKmLFYJhHM2I2YVfluqhYghjHAo5afcvkObsP7T7jMP2rhJ
HUFVYvsPrrCjOkYHIpzPT+YD+1c+fzknSAXRefVVsmI+F12+nEWGDfL3YoTD7YRv
g00YVl8pW3v1ZG4krkIiyDwN0eZBFE0pnv8bxMMGi0V1HnUwiBYS7rSekCLuTldA
mj+iDq3MFMLk/2YP6gsONUZJvLINOE2DumCQRJ8z/AXLlHkdTKWxlw==
=JMFx
-----END PGP SIGNATURE-----

Current thread:

Re: Reading read-protected devices in *BSD Chris Wilson (Sep 07)
- Re: your mail Matt Watson (Sep 07)
- wwwthreads discussion forum security holes Ken Williams (Sep 08)
- Warning: LSASS.EXE problems Aleph One (Sep 08)