Vulnerability Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: wwwboard my help reveal user name and password

From: spepper () WLU CA (Shelagh Pepper)
Date: Fri, 7 Jul 2000 12:23:39 -0400

Work around is to deny access to passwd.txt files
Apache specific directive is:

<Files passwd.txt>
     Order allow,deny
     Deny from all
</Files>

I would put a .htaccess file in wwwboards similar to the following:

<Files *.txt>
     Order allow,deny
     Deny from all
</Files>
ErrorDocument 403 /Lame_excuses/not_found.html

Shelagh

At 03:00 AM 7/7/00 -0400, Julian Linton wrote:

This is probably well know already. if wwwboard.pl is install with most of
it default settings any web user can access
<http://www.somesite.com/wwwboard/passwd.txt>www.somesite.com/wwwboard/passwd.txt
this will show the username and encrypted password for the wwwadmin.pl
script.  I did a search on the internet and many of the site that are
running wwwboard use the same password and username for other service,
such as ftp or telnet.  I feel this can be a problem since the passwd.txt
file is world readable.

Julian Linton
CIS Student @ FAMU.EDU
jlinton () cis famu edu
Previous By Date Next
Previous By Thread Next

Current thread: