Draz Q published a short summary of problems with a webrelated software in eurohack. Basicly it sounds pretty much like a common CGI problem. It does not give user or root access, only the ability to fake/modify just about anything showed by the program. However, in the parts left out by me Draz Q mentiones a great many sites (including commercial sites) exposed to the vulnarbility. ========================================================================= Anyboard Forum Security Hazard - POSTED ON Eurohack and Radikal 23/04/99 by draz Q. ========================================================================= Anyboard by Netbula (www.netbula.com) After using the Anyboard Forum at my own page (www.radikal.net/radikal) for a while I've found a "little" (?) flaw in it that allows _anyone_ to get the admin login and password. This is because the forum CFG file is available to anyone. This, allows anyone to, - Delete messages in the forum (purge the whole forum) - Modify messages - Write messages as Admin - Change admin login and password - In short, do anything in the Message forum [official] http://www.11a.nu/ [mirror.1] http://194.236.13.242/11a/index.html [mirror.2] http://home.swipnet.se/~w-12702/11A/ [my.email] ealliance$hotmail.com || 11a$gmx.net
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:43:49 PDT