Vulnerability Development mailing list archives
Re: wwwboard my help reveal user name and password
From: jlegate () ALIENCHICK COM (Jason Legate)
Date: Fri, 7 Jul 2000 21:30:01 -0700
On Fri, Jul 07, 2000 at 02:24:11PM -0400, Shadowboxer wrote:
Julian Linton wrote:This is probably well know already. if wwwboard.pl is install with most of it default settings any web user can access www.somesite.com/wwwboard/passwd.txtthis will show the username and encrypted password for the wwwadmin.pl script. I did a search on the internet and many of the site that are running wwwboard use the same password and username for other service, such as ftp or telnet. I feel this can be a problem since the passwd.txt file is world readable. Julian LintonCIS Student @ FAMU.EDUjlinton () cis famu eduThere have been countless security bugs found in Matt Wright's wwwboard script since it was released. It is pretty much obsolete these days. I know a few people who have played with the script a little and got it to be pretty bug-free/secure. The minimum would be to fix this password problem and to add referrer checking so a standalone script can't be used to bomb it.
I think adding referrer checking is useless. One can spoof a Referrer: header in a http request just as easily as spoof the actual requests. -j -- /--------------------------/ Jason Legate \---------------------------\ | jlegate () sitesmith com | SiteSmith, Inc. | | 24x7 Call Center | http://www.sitesmith.com | | +1 888 898 7667 / +800 7483 7483 | PGP Key ID - 0xA855AAC2 | +----------------------------------+----------------------------------+ | Fingerprint - 2D5F 87A0 26E6 A65B 6837 D100 FB54 A972 A855 AAC3 | \---------------------------------------------------------------------/
Current thread:
- Re: BitchX /ignore bug, (continued)
- Re: BitchX /ignore bug Daniel Jacobowitz (Jul 05)
- Re: BitchX /ignore bug Thomas Dullien (Jul 05)
- Re: BitchX /ignore bug Ron DuFresne (Jul 06)
- Re: BitchX /ignore bug Keith Simonsen (Jul 06)
- Re: BitchX /ignore bug Steve Mosher (Jul 06)
- Re: BitchX /ignore bug Joe User (Jul 06)
- Re: BitchX /ignore bug Security Mail Acct. (Jul 06)
- wwwboard my help reveal user name and password Julian Linton (Jul 07)
- Re: wwwboard my help reveal user name and password Shelagh Pepper (Jul 07)
- Re: wwwboard my help reveal user name and password Shadowboxer (Jul 07)
- Re: wwwboard my help reveal user name and password Jason Legate (Jul 07)
- Re: wwwboard my help reveal user name and password Simon Hughes (Jul 11)
- Re: BitchX /ignore bug Ron DuFresne (Jul 06)
- About all the default password databases... Mikael Olsson (Jul 07)
- Re: About all the default password databases... Roelof Temmingh (Jul 07)
- Re: About all the default password databases... Jonathan Leto (Jul 07)
- Re: About all the default password databases... Phenoelit (Jul 08)
- Re: BitchX /ignore bug Steve Mosher (Jul 07)
- Re: BitchX /ignore bug Mikael Olsson (Jul 07)
- Re: BitchX /ignore bug Steve Mosher (Jul 08)
- The AOL Spyware Maxime Rousseau (Jul 07)
- Re: The AOL Spyware Mikael Olsson (Jul 07)