Re: wwwboard my help reveal user name and password

[jlegate () ALIENCHICK COM (Jason Legate)]

On Fri, Jul 07, 2000 at 02:24:11PM -0400, Shadowboxer wrote:
> Julian Linton wrote:
>
> > This is probably well know already. if wwwboard.pl is install with
> > most of it default settings any web user can access
> > www.somesite.com/wwwboard/passwd.txtthis will show the username and
> > encrypted password for the wwwadmin.pl script.  I did a search on the
> > internet and many of the site that are running wwwboard use the same
> > password and username for other service, such as ftp or telnet.  I
> > feel this can be a problem since the passwd.txt file is world
> > readable. Julian LintonCIS Student @ FAMU.EDUjlinton () cis famu edu
>
> There have been countless security bugs found in Matt Wright's wwwboard
> script since it was released.  It is pretty much obsolete these days.  I
> know a few people who have played with the script a little and got it to
> be pretty bug-free/secure.  The minimum would be to fix this password
> problem and to add referrer checking so a standalone script can't be
> used to bomb it.

I think adding referrer checking is useless.  One can spoof a
Referrer: header in a http request just as easily as spoof the actual
requests.

-j

--
/--------------------------/ Jason Legate \---------------------------\
|       jlegate () sitesmith com      |          SiteSmith, Inc.         |
|          24x7 Call Center        |     http://www.sitesmith.com     |
| +1 888 898 7667 / +800 7483 7483 |      PGP Key ID - 0xA855AAC2     |
+----------------------------------+----------------------------------+
|  Fingerprint - 2D5F 87A0 26E6 A65B 6837  D100 FB54 A972 A855 AAC3   |
\---------------------------------------------------------------------/