Since I didn't see any of this mentioned in any of the archieved WWWBoard articles from bugtraq, I decidied to send it in. Possible Compromise: Remote Administration of WWWBoard. ------------------------------------------------------- By following WWWBoards install instructions exactly, you can leave yourself open to the risk of possible abuse through the wwwadmin.pl script. Matt Wright was at least smart enough to include some type of username/password checking, but he didn't have the idea to force the wwwboard administrator to pick/create a password for the webadmin account before the board would work. Instead he created a default account: Username: WebAdmin Password: WebBoard Well, at least he does suggest that you change this password the first time you login into wwwadmin. Now most people are smart enough to change the default password to something at least halfway more secure, but thanks to Matt Wright your new password is written into passwd.txt and it has to remain readable/writeable for the server to change the file. The password in this file is at leasted encrypted with crypt, but just being able to view the file will allow a cracker to sit down and run a dictionary crack against it. Suggested course of action: If you haven't looked over the scripts or at least read the entire ADMIN_README file to begin with (which you should do when you download any program) you can see that there is a variable to where to store/name the password file. This variable is called $passwd_file. Since the file needs to be open to writings and readings your best bet would be to move the file into a directory where it cannot be access from via the world wide web. You can do this easily by changing the $passwd_file variable from passwd.txt to "/path/to/non-web/dir/brdpass.txt" -- then rename passwd.txt to brdpass.txt and move into that directory. It at least provides you with a little more security than this insecure program does for you, or even suggests for you. -dew .*******************************************************************. : David E. Weins \ "Time is a great teacher, unfortunately : : davidat_private \ it kills all its pupils." : : \ - Hector Berlioz : `*******************************************************************'
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:04:30 PDT