Vulnerability Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: wwwboard my help reveal user name and password

From: shadoze () FREEWWWEB COM (Shadowboxer)
Date: Fri, 7 Jul 2000 14:24:11 -0400

Julian Linton wrote:


This is probably well know already. if wwwboard.pl is install with
most of it default settings any web user can access
www.somesite.com/wwwboard/passwd.txtthis will show the username and
encrypted password for the wwwadmin.pl script.  I did a search on the
internet and many of the site that are running wwwboard use the same
password and username for other service, such as ftp or telnet.  I
feel this can be a problem since the passwd.txt file is world
readable. Julian LintonCIS Student @ FAMU.EDUjlinton () cis famu edu


There have been countless security bugs found in Matt Wright's wwwboard
script since it was released.  It is pretty much obsolete these days.  I
know a few people who have played with the script a little and got it to
be pretty bug-free/secure.  The minimum would be to fix this password
problem and to add referrer checking so a standalone script can't be
used to bomb it.
Previous By Date Next
Previous By Thread Next

Current thread: