On Fri, 17 Sep 1999 05:09:38 PDT, David Weins wrote: > Since I didn't see any of this mentioned in any of the archieved WWWBoard > articles from bugtraq, I decidied to send it in. [...] Does anyone maintain a list of WWWBoard bugs? (As Matt Wright clearly isn't interested...) > If you haven't looked over the scripts or at least read the entire > ADMIN_README file to begin with (which you should do when you download > any program) you can see that there is a variable to where to store/name > the password file. This variable is called $passwd_file. Since the file > needs to be open to writings and readings your best bet would be to move > the file into a directory where it cannot be access from via the world > wide web. You can do this easily by changing the $passwd_file variable > from passwd.txt to "/path/to/non-web/dir/brdpass.txt" -- then rename > passwd.txt to brdpass.txt and move into that directory. It at least > provides you with a little more security than this insecure program > does for you, or even suggests for you. Sometimes you won't be able to do this - for example if your home directory is your htdocs directory, which is the case for some ISPs. A workaround is to prevent the web server from returning the passwd.txt file, whilst still permitting the file to be read/written by the CGI script. In Apache you'd configure this as follows: <Files passwd.txt> deny from all </Files> Cheers, Chris
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:04:36 PDT