Bugtraq mailing list archives

Re: Discus advisory.

From: ianj () CALWEB COM (Ian R. Justman)
Date: Wed, 28 Apr 1999 16:41:15 -0700


On Fri, 23 Apr 1999, Elaich Of Hhp wrote:

          (hhp) Discus advisory. (hhp)
---------------------------------------------------
      Discus (Free discussion for your Web Site!)
at http://www.chem.hope.edu/discus/ has a directory
and  file  permission  problem.  The code is really
messy  and  they  need to learn file and permission
operations  better.  The source determines the mode
of  the  directories  and files from other sources:
Line:   533   in  discus3_01/source/src-board-setup
which  is  a  totally bad idea being that no matter
what,  the  private  files  should not be +r... ie,
the  *.txt's  and so on.  I  contacted the software
programmers  and  hope  they recognize this problem
being  that  the files are so open and easy to find
with any public search engines.  I  noticed quite a
few  servers  are  using  this software and I would
guestimate  about  80%  or  more are  vulnerable to
getting  thier  userfile  cracked  and their server
rooted.
      So   my   suggestion  to  people using this
software  is  check your modes or either wait for a
new release of the software.  I did not want to get
into making a patch being that they need to totally
redo some of their methods.

elaich - 2:30:15am CST 4/24/1999
--------------------------------------------
elaich of the hhp.
Email: hhp () hhp hemp net / pigspigs () yahoo com
Voice: 1800-Rag-on-gH pin: The-hhp-crew
Web: http://hhp.hemp.net
--------------------------------------------


Showed this to my boss because one of our customers (one whose account we
are currently reviewing) runs this script.

If this is running under Linux, FreeBSD or any system with a decent shadow
password system or something similar AND a sanely-configured web server,
e.g. with CGIwrap, any internal wrappering which runs scripts as the owner
of the script like any later version of Apache with the integrated setuid
wrapper, or at the very least just outright running scripts as an
arbitrary unprivileged user, there is no problem.  You can't read
/etc/shadow|/etc/master.passwd|/etc/whatever if you're not a privileged
user.  ;)

--Ian.

---
Ian R. Justman (ianj () calweb com)
System Administrator and Postmaster, CalWeb Internet Services, Inc.
Office:  (916) 641-9320
Finger ianj () calweb com for my public PGP key.

Current thread:

Re: Shopping Carts exposing CC data Bo Elkjaer (Apr 23)
- javascript hotmail password trap David L. Nicol (Apr 23)
- Re: Shopping Carts exposing CC data Joe (Apr 23)
- Discus advisory. Elaich Of Hhp (Apr 23)
  - Re: Discus advisory. Ian R. Justman (Apr 28)
    - Re: Discus advisory. Elaich Of Hhp (Apr 29)
  - X-based sniffer-netxmon Zhang Qianli (Apr 29)
    - Re: X-based sniffer-netxmon route () RESENTMENT INFONEXUS COM (Apr 29)
    - Re: X-based sniffer-netxmon Zhang Qianli (Apr 29)
    - Buffer overflow in ftpd and locate bug Sergey V. Kolychev (Apr 30)
    - Re: X-based sniffer-netxmon Corey Lindsly (Apr 29)
- <Possible follow-ups>
- Re: Shopping Carts exposing CC data hevnsnt (Apr 23)
- Re: Shopping Carts exposing CC data Bo Elkjaer (Apr 25)
- Re: Shopping Carts exposing CC data Bo Elkjaer (Apr 27)