wwwthreads discussion forum security holes

From: Ken Williams (jkwilli2at_private)
Date: Tue Sep 08 1998 - 07:16:31 PDT

Next message: Aleph One: "Warning: LSASS.EXE problems"

Previous message: Matt Watson: "Re: your mail"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

-----BEGIN PGP SIGNED MESSAGE-----

Hi,

     The WWW Threads discussion forum software,
http://www.screamingweb.com/wwwthreads/
has several security holes and coding weaknesses.  When running the install
script, the data directories are created in a publicly accessible area.
The install instructions direct the user to create the data directory in
a publicly accessible directory under "html" or "public_html" also.
The data directories contain, among other things, administrator and user
logins and passwords.  These passwords are written to files in plaintext,
and the files can easily be viewed and/or downloaded by anyone with a web
browser.  As far as I can tell, there is no error or bounds checking in the
administrative cgi scripts either, so exploit code can easily be executed
remotely once the plaintext passwords are retrieved.

All platforms using these scripts are affected.

Suggested fixes:

1) move the data directories to non-publicly accessible area and correct
   the appropriate lines in the cgi scripts.

2) remove all (g) and (o) permissions to prevent local exploit.

3) use the UNIX crypt() function or something similar to encode passwords
   written to files.

4) add a "referer" variable to the cgi scripts so commands can only be
   executed on local server that has WWW Threads installed.


There are many other bugs in the WWW Threads scripts, so my personal
suggestion is to use another discussion forum script or roll your own
until these problems are fixed.

These bugs and security holes are present in the latest bugfix release of
WWW Threads (wwwthreads v2.7.3), and all earlier releases that I have
checked (2.6.* and 2.7.*).

The author, rbakerat_private, was notified of these problems on
Sat, 15 Aug 1998.


Regards,

Ken Williams

Packet Storm Security http://www.Genocide2600.com/~tattooman/index.shtml
E.H.A.P. Corporation  http://www.ehap.org/  ehapat_private infoat_private
NCSU Comp Sci Dept    http://www.csc.ncsu.edu/ jkwilli2at_private
PGP DSS/DH/RSA Keys   http://www.genocide2600.com/cgi-bin/finger?tattooman

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 5.0i for non-commercial use
Charset: noconv

iQEVAwUBNfU8NJDw1ZsNz1IXAQGWGQf9G2H75y1h40mjvmKl56o6ukaduo7b3y7A
wFS+/K5mjWmUoN5ju4GvdPs/2nr5oGR9BuXKlhRCY5+xKQFounkScdTpFBRf/dla
+ke0RpXCmje13BVqEKKmLFYJhHM2I2YVfluqhYghjHAo5afcvkObsP7T7jMP2rhJ
HUFVYvsPrrCjOkYHIpzPT+YD+1c+fzknSAXRefVVsmI+F12+nEWGDfL3YoTD7YRv
g00YVl8pW3v1ZG4krkIiyDwN0eZBFE0pnv8bxMMGi0V1HnUwiBYS7rSekCLuTldA
mj+iDq3MFMLk/2YP6gsONUZJvLINOE2DumCQRJ8z/AXLlHkdTKWxlw==
=JMFx
-----END PGP SIGNATURE-----

Next message: Aleph One: "Warning: LSASS.EXE problems"
Previous message: Matt Watson: "Re: your mail"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:15:16 PDT