Re: More fun with WWWBoard

From: Patrick Oonk (patrickat_private)
Date: Wed Sep 22 1999 - 13:42:22 PDT

Next message: Stas Kisel: "Re: remote DoS against inetd and ssh"

Previous message: Brock Tellier: "SCO 5.0.x scosession local exploit"
Maybe in reply to: David Weins: "More fun with WWWBoard"
Next in thread: Speed: "Re: More fun with WWWBoard"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

--m+jEI8cDoTn6Mu9E
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: quoted-printable

On Tue, Sep 21, 1999 at 03:51:09PM -0700, Mark Jeftovic wrote:
> At 01:24 PM 9/20/99 +0100, Chris Ridd wrote:
> >Does anyone maintain a list of WWWBoard bugs? (As Matt Wright clearly
> >isn't interested...)
> >
>=20
> Doesn't look like it. I posted a vulnerability in his guestbook script
> to this list about 2 years ago (ironically entitled "Guestbook script
> is still vulnerable") and looking at it today ...the guestbook script
> is still vulnerable.

Matt Wright is one of the worst, but check out=20
http://www.ultimatebb.com/home/firsttimeinstall.html for a few
good laughs:

"UNIX and All Others: If you are installing on a UNIX-based server, you
must set your permissions as follows:=20

Set your NON CGI directory to 777.=20
Set your Members Directory to 777.
Within the Members directory, set the Admin5.cgi to 777, as well.=20
Set your CGI Directory to 755. Within the CGI directory, set all files to 7=
55,=20
except for the variable files (mods.file, Styles.file, UltBB.setup
and forums.cgi), which should be set to mode 777.=20

If your web server does not allow you to have files set to mode 777 within=
=20
the CGI directory, you will need to make the changes noted here. Most web
servers do not have this restriction. "

Not even a note that this could be bad.

	Patrick

--=20
 Patrick Oonk - PO1-6BONE - patrickat_private - www.pine.nl/~patrick
 Pine Internet B.V.                            PGP key ID BE7497F1 =20
 Tel: +31-70-3111010 - Fax: +31-70-3111011 - http://www.pine.nl/
 -- Pine Security Digest - http://security.pine.nl/ (Dutch) ----
 Excuse of the day: Digital Manipulator exceeding velocity
 parameters

--m+jEI8cDoTn6Mu9E
Content-Type: application/pgp-signature

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia

iQB1AwUBN+k/LfMOST2+dJfxAQEBYwMAghcXjvZGbA7LapqXqcCuAqipPy2reeFc
wVcGM/vQWh04JvSQzedfQz/wdyfj0kvsoedxSPWpfvOEIbIAJVsR0I0jdPIiznNm
Avb5sl3DI3igjc9ND9dWp7Yadpx9hQSr
=MNaL
-----END PGP SIGNATURE-----

--m+jEI8cDoTn6Mu9E--

Next message: Stas Kisel: "Re: remote DoS against inetd and ssh"
Previous message: Brock Tellier: "SCO 5.0.x scosession local exploit"
Maybe in reply to: David Weins: "More fun with WWWBoard"
Next in thread: Speed: "Re: More fun with WWWBoard"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:04:55 PDT