Bugtraq mailing list archives

More fun with WWWBoard

From: sh () QUADRUNNER COM (David Weins)
Date: Fri, 17 Sep 1999 05:09:38 -0700


Since I didn't see any of this mentioned in any of the archieved WWWBoard
articles from bugtraq, I decidied to send it in.

Possible Compromise: Remote Administration of WWWBoard.
-------------------------------------------------------

By following WWWBoards install instructions exactly, you can leave
yourself open to the risk of possible abuse through the wwwadmin.pl
script.  Matt Wright was at least smart enough to include some type
of username/password checking, but he didn't have the idea to force
the wwwboard administrator to pick/create a password for the webadmin
account before the board would work.  Instead he created a default
account:

Username: WebAdmin
Password: WebBoard

Well, at least he does suggest that you change this password the first
time you login into wwwadmin.  Now most people are smart enough to
change the default password to something at least halfway more secure,
but thanks to Matt Wright your new password is written into passwd.txt
and it has to remain readable/writeable for the server to change the file.
The password in this file is at leasted encrypted with crypt, but just
being able to view the file will allow a cracker to sit down and
run a dictionary crack against it.

Suggested course of action:

If you haven't looked over the scripts or at least read the entire
ADMIN_README file to begin with (which you should do when you download
any program) you can see that there is a variable to where to store/name
the password file.  This variable is called $passwd_file.  Since the file
needs to be open to writings and readings your best bet would be to move
the file into a directory where it cannot be access from via the world
wide web.  You can do this easily by changing the $passwd_file variable
from passwd.txt to "/path/to/non-web/dir/brdpass.txt" -- then rename
passwd.txt to brdpass.txt and move into that directory.  It at least
provides you with a little more security than this insecure program
does for you, or even suggests for you.

  -dew

.*******************************************************************.
:  David E. Weins      \   "Time is a great teacher, unfortunately  :
:  david () weins net      \   it kills all its pupils."               :
:                        \              - Hector Berlioz            :
`*******************************************************************'

Current thread:

SDI AMD remote exploit for RH linux, (continued)
- - - SDI AMD remote exploit for RH linux Thiago (Sep 02)
  - Re: IE5 allows executing programs J MacCraw (Sep 07)
- Re: IE5 allows executing programs David LeBlanc (Sep 03)
- Re: IE5 allows executing programs Kragen Sitaker (Sep 05)
  - Re: IE5 allows executing programs Jesper M. Johansson (Sep 08)
  - Re: IE5 allows executing programs SysAdmin (Sep 08)
    - Re: IE5 allows executing programs Haxor, Wikit (Sep 16)
    - Two SuSE 6.2 local root exploits Brock Tellier (Sep 16)
    - SuSE 6.2 /usr/bin/sccw read any file Brock Tellier (Sep 16)
    - Fw: CERT Advisory CA-99.12 - Buffer Overflow in amd morex (Sep 16)
    - More fun with WWWBoard David Weins (Sep 17)
    - Re: More fun with WWWBoard Chris Ridd (Sep 20)
    - Re: More fun with WWWBoard Mark Jeftovic (Sep 21)
    - Re: More fun with WWWBoard Patrick Oonk (Sep 22)
    - Re: More fun with WWWBoard Speed (Sep 24)
    - Re: More fun with WWWBoard Mark Jeftovic (Sep 26)
    - Microsoft Security Bulletin (MS99-037) Aleph One (Sep 25)
    - Internet Explorer 5.0 & AOL Instant Messenger 3.x (latest version) Bug forcing Win98 to crash remotely webmaster (Sep 22)
    - Re: Internet Explorer 5.0 & AOL Instant Messenger 3.x (latest version) Bug forcing Win98 to crash remotely Peter Haglund (Sep 24)
    - Re: More fun with WWWBoard Vladimir Dubrovin (Sep 21)
    - SCO 5.0.x scosession local exploit Brock Tellier (Sep 22)

(Thread continues...)