Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Re: More fun with WWWBoard

From: Chris.Ridd () MESSAGINGDIRECT COM (Chris Ridd)
Date: Mon, 20 Sep 1999 13:24:38 +0100

On Fri, 17 Sep 1999 05:09:38 PDT, David Weins wrote:

Since I didn't see any of this mentioned in any of the archieved WWWBoard
articles from bugtraq, I decidied to send it in.


[...]

Does anyone maintain a list of WWWBoard bugs? (As Matt Wright clearly
isn't interested...)


If you haven't looked over the scripts or at least read the entire
ADMIN_README file to begin with (which you should do when you download
any program) you can see that there is a variable to where to store/name
the password file.  This variable is called $passwd_file.  Since the file
needs to be open to writings and readings your best bet would be to move
the file into a directory where it cannot be access from via the world
wide web.  You can do this easily by changing the $passwd_file variable
from passwd.txt to "/path/to/non-web/dir/brdpass.txt" -- then rename
passwd.txt to brdpass.txt and move into that directory.  It at least
provides you with a little more security than this insecure program
does for you, or even suggests for you.


Sometimes you won't be able to do this - for example if your home
directory is your htdocs directory, which is the case for some ISPs. A
workaround is to prevent the web server from returning the passwd.txt
file, whilst still permitting the file to be read/written by the CGI
script.

In Apache you'd configure this as follows:

<Files passwd.txt>
deny from all
</Files>

Cheers,

Chris
Previous By Date Next
Previous By Thread Next

Current thread: