-----BEGIN PGP SIGNED MESSAGE----- Hi, The WWW Threads discussion forum software, http://www.screamingweb.com/wwwthreads/ has several security holes and coding weaknesses. When running the install script, the data directories are created in a publicly accessible area. The install instructions direct the user to create the data directory in a publicly accessible directory under "html" or "public_html" also. The data directories contain, among other things, administrator and user logins and passwords. These passwords are written to files in plaintext, and the files can easily be viewed and/or downloaded by anyone with a web browser. As far as I can tell, there is no error or bounds checking in the administrative cgi scripts either, so exploit code can easily be executed remotely once the plaintext passwords are retrieved. All platforms using these scripts are affected. Suggested fixes: 1) move the data directories to non-publicly accessible area and correct the appropriate lines in the cgi scripts. 2) remove all (g) and (o) permissions to prevent local exploit. 3) use the UNIX crypt() function or something similar to encode passwords written to files. 4) add a "referer" variable to the cgi scripts so commands can only be executed on local server that has WWW Threads installed. There are many other bugs in the WWW Threads scripts, so my personal suggestion is to use another discussion forum script or roll your own until these problems are fixed. These bugs and security holes are present in the latest bugfix release of WWW Threads (wwwthreads v2.7.3), and all earlier releases that I have checked (2.6.* and 2.7.*). The author, rbakerat_private, was notified of these problems on Sat, 15 Aug 1998. Regards, Ken Williams Packet Storm Security http://www.Genocide2600.com/~tattooman/index.shtml E.H.A.P. Corporation http://www.ehap.org/ ehapat_private infoat_private NCSU Comp Sci Dept http://www.csc.ncsu.edu/ jkwilli2at_private PGP DSS/DH/RSA Keys http://www.genocide2600.com/cgi-bin/finger?tattooman -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 5.0i for non-commercial use Charset: noconv iQEVAwUBNfU8NJDw1ZsNz1IXAQGWGQf9G2H75y1h40mjvmKl56o6ukaduo7b3y7A wFS+/K5mjWmUoN5ju4GvdPs/2nr5oGR9BuXKlhRCY5+xKQFounkScdTpFBRf/dla +ke0RpXCmje13BVqEKKmLFYJhHM2I2YVfluqhYghjHAo5afcvkObsP7T7jMP2rhJ HUFVYvsPrrCjOkYHIpzPT+YD+1c+fzknSAXRefVVsmI+F12+nEWGDfL3YoTD7YRv g00YVl8pW3v1ZG4krkIiyDwN0eZBFE0pnv8bxMMGi0V1HnUwiBYS7rSekCLuTldA mj+iDq3MFMLk/2YP6gsONUZJvLINOE2DumCQRJ8z/AXLlHkdTKWxlw== =JMFx -----END PGP SIGNATURE-----
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:15:16 PDT