(hhp) Discus advisory. (hhp)
---------------------------------------------------
Discus (Free discussion for your Web Site!)
at http://www.chem.hope.edu/discus/ has a directory
and file permission problem. The code is really
messy and they need to learn file and permission
operations better. The source determines the mode
of the directories and files from other sources:
Line: 533 in discus3_01/source/src-board-setup
which is a totally bad idea being that no matter
what, the private files should not be +r... ie,
the *.txt's and so on. I contacted the software
programmers and hope they recognize this problem
being that the files are so open and easy to find
with any public search engines. I noticed quite a
few servers are using this software and I would
guestimate about 80% or more are vulnerable to
getting thier userfile cracked and their server
rooted.
So my suggestion to people using this
software is check your modes or either wait for a
new release of the software. I did not want to get
into making a patch being that they need to totally
redo some of their methods.
elaich - 2:30:15am CST 4/24/1999
--------------------------------------------
elaich of the hhp.
Email: hhpat_private / pigspigsat_private
Voice: 1800-Rag-on-gH pin: The-hhp-crew
Web: http://hhp.hemp.net
--------------------------------------------
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:43:41 PDT