|
Date: Fri, 23 Apr 1999 22:34:08 -0400 From: Elaich Of Hhp <hhp@NS.SUSPEND.NET> To: BUGTRAQ@netspace.org Subject: Discus advisory. (hhp) Discus advisory. (hhp) --------------------------------------------------- Discus (Free discussion for your Web Site!) at http://www.chem.hope.edu/discus/ has a directory and file permission problem. The code is really messy and they need to learn file and permission operations better. The source determines the mode of the directories and files from other sources: Line: 533 in discus3_01/source/src-board-setup which is a totally bad idea being that no matter what, the private files should not be +r... ie, the *.txt's and so on. I contacted the software programmers and hope they recognize this problem being that the files are so open and easy to find with any public search engines. I noticed quite a few servers are using this software and I would guestimate about 80% or more are vulnerable to getting thier userfile cracked and their server rooted. So my suggestion to people using this software is check your modes or either wait for a new release of the software. I did not want to get into making a patch being that they need to totally redo some of their methods. elaich - 2:30:15am CST 4/24/1999 -------------------------------------------- elaich of the hhp. Email: hhp@hhp.hemp.net / pigspigs@yahoo.com Voice: 1800-Rag-on-gH pin: The-hhp-crew Web: http://hhp.hemp.net --------------------------------------------