More fun with WWWBoard

From: David Weins (shat_private)
Date: Fri Sep 17 1999 - 05:09:38 PDT

Next message: Brian F. Feldman: "socket buffer DoS/administrative limits (fwd)"

Previous message: Tymm Twillman: "A few bugs..."
Next in thread: Chris Ridd: "Re: More fun with WWWBoard"
Reply: Chris Ridd: "Re: More fun with WWWBoard"
Reply: Mark Jeftovic: "Re: More fun with WWWBoard"
Reply: Vladimir Dubrovin: "Re: More fun with WWWBoard"
Reply: Ben Laurie: "Re: More fun with WWWBoard"
Reply: Patrick Oonk: "Re: More fun with WWWBoard"
Reply: Speed: "Re: More fun with WWWBoard"
Reply: Mark Jeftovic: "Re: More fun with WWWBoard"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Since I didn't see any of this mentioned in any of the archieved WWWBoard
articles from bugtraq, I decidied to send it in.

Possible Compromise: Remote Administration of WWWBoard.
-------------------------------------------------------

By following WWWBoards install instructions exactly, you can leave
yourself open to the risk of possible abuse through the wwwadmin.pl
script.  Matt Wright was at least smart enough to include some type
of username/password checking, but he didn't have the idea to force
the wwwboard administrator to pick/create a password for the webadmin
account before the board would work.  Instead he created a default
account:

Username: WebAdmin
Password: WebBoard

Well, at least he does suggest that you change this password the first
time you login into wwwadmin.  Now most people are smart enough to
change the default password to something at least halfway more secure,
but thanks to Matt Wright your new password is written into passwd.txt
and it has to remain readable/writeable for the server to change the file.
The password in this file is at leasted encrypted with crypt, but just
being able to view the file will allow a cracker to sit down and
run a dictionary crack against it.

Suggested course of action:

If you haven't looked over the scripts or at least read the entire
ADMIN_README file to begin with (which you should do when you download
any program) you can see that there is a variable to where to store/name
the password file.  This variable is called $passwd_file.  Since the file
needs to be open to writings and readings your best bet would be to move
the file into a directory where it cannot be access from via the world
wide web.  You can do this easily by changing the $passwd_file variable
from passwd.txt to "/path/to/non-web/dir/brdpass.txt" -- then rename
passwd.txt to brdpass.txt and move into that directory.  It at least
provides you with a little more security than this insecure program
does for you, or even suggests for you.


  -dew

.*******************************************************************.
:  David E. Weins      \   "Time is a great teacher, unfortunately  :
:  davidat_private      \   it kills all its pupils."               :
:                        \              - Hector Berlioz            :
`*******************************************************************'

Next message: Brian F. Feldman: "socket buffer DoS/administrative limits (fwd)"
Previous message: Tymm Twillman: "A few bugs..."
Next in thread: Chris Ridd: "Re: More fun with WWWBoard"
Reply: Chris Ridd: "Re: More fun with WWWBoard"
Reply: Mark Jeftovic: "Re: More fun with WWWBoard"
Reply: Vladimir Dubrovin: "Re: More fun with WWWBoard"
Reply: Ben Laurie: "Re: More fun with WWWBoard"
Reply: Patrick Oonk: "Re: More fun with WWWBoard"
Reply: Speed: "Re: More fun with WWWBoard"
Reply: Mark Jeftovic: "Re: More fun with WWWBoard"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:04:30 PDT