Bugtraq mailing list archives
Re: More fun with WWWBoard
From: Chris.Ridd () MESSAGINGDIRECT COM (Chris Ridd)
Date: Mon, 20 Sep 1999 13:24:38 +0100
On Fri, 17 Sep 1999 05:09:38 PDT, David Weins wrote:
Since I didn't see any of this mentioned in any of the archieved WWWBoard articles from bugtraq, I decidied to send it in.
[...] Does anyone maintain a list of WWWBoard bugs? (As Matt Wright clearly isn't interested...)
If you haven't looked over the scripts or at least read the entire ADMIN_README file to begin with (which you should do when you download any program) you can see that there is a variable to where to store/name the password file. This variable is called $passwd_file. Since the file needs to be open to writings and readings your best bet would be to move the file into a directory where it cannot be access from via the world wide web. You can do this easily by changing the $passwd_file variable from passwd.txt to "/path/to/non-web/dir/brdpass.txt" -- then rename passwd.txt to brdpass.txt and move into that directory. It at least provides you with a little more security than this insecure program does for you, or even suggests for you.
Sometimes you won't be able to do this - for example if your home directory is your htdocs directory, which is the case for some ISPs. A workaround is to prevent the web server from returning the passwd.txt file, whilst still permitting the file to be read/written by the CGI script. In Apache you'd configure this as follows: <Files passwd.txt> deny from all </Files> Cheers, Chris
Current thread:
- Re: IE5 allows executing programs, (continued)
- Re: IE5 allows executing programs J MacCraw (Sep 07)
- Re: IE5 allows executing programs David LeBlanc (Sep 03)
- Re: IE5 allows executing programs Kragen Sitaker (Sep 05)
- Re: IE5 allows executing programs Jesper M. Johansson (Sep 08)
- Re: IE5 allows executing programs SysAdmin (Sep 08)
- Re: IE5 allows executing programs Haxor, Wikit (Sep 16)
- Two SuSE 6.2 local root exploits Brock Tellier (Sep 16)
- SuSE 6.2 /usr/bin/sccw read any file Brock Tellier (Sep 16)
- Fw: CERT Advisory CA-99.12 - Buffer Overflow in amd morex (Sep 16)
- More fun with WWWBoard David Weins (Sep 17)
- Re: More fun with WWWBoard Chris Ridd (Sep 20)
- Re: More fun with WWWBoard Mark Jeftovic (Sep 21)
- Re: More fun with WWWBoard Patrick Oonk (Sep 22)
- Re: More fun with WWWBoard Speed (Sep 24)
- Re: More fun with WWWBoard Mark Jeftovic (Sep 26)
- Microsoft Security Bulletin (MS99-037) Aleph One (Sep 25)
- Internet Explorer 5.0 & AOL Instant Messenger 3.x (latest version) Bug forcing Win98 to crash remotely webmaster (Sep 22)
- Re: Internet Explorer 5.0 & AOL Instant Messenger 3.x (latest version) Bug forcing Win98 to crash remotely Peter Haglund (Sep 24)
- Re: More fun with WWWBoard Vladimir Dubrovin (Sep 21)
- SCO 5.0.x scosession local exploit Brock Tellier (Sep 22)
- Re: More fun with WWWBoard Ben Laurie (Sep 23)