TUCoPS :: Web BBS :: etc :: wwwthred.txt

WWWThreads - wwwthreads Discussion Forum has several security holes.


[ http://www.rootshell.com/ ]

Date:         Tue, 8 Sep 1998 10:16:31 -0400
From:         Ken Williams <jkwilli2@UNITY.NCSU.EDU>
Subject:      wwwthreads discussion forum security holes

Hi,

     The WWW Threads discussion forum software,
http://www.screamingweb.com/wwwthreads/ has several security holes and
coding weaknesses.  When running the install script, the data directories
are created in a publicly accessible area. The install instructions direct
the user to create the data directory in a publicly accessible directory
under "html" or "public_html" also. The data directories contain, among
other things, administrator and user logins and passwords.  These passwords
are written to files in plaintext, and the files can easily be viewed and/or
downloaded by anyone with a web browser.  As far as I can tell, there is no
error or bounds checking in the administrative cgi scripts either, so
exploit code can easily be executed remotely once the plaintext passwords
are retrieved.

All platforms using these scripts are affected.

Suggested fixes:

1) move the data directories to non-publicly accessible area and correct
   the appropriate lines in the cgi scripts.

2) remove all (g) and (o) permissions to prevent local exploit.

3) use the UNIX crypt() function or something similar to encode passwords
   written to files.

4) add a "referer" variable to the cgi scripts so commands can only be
   executed on local server that has WWW Threads installed.


There are many other bugs in the WWW Threads scripts, so my personal
suggestion is to use another discussion forum script or roll your own until
these problems are fixed.

These bugs and security holes are present in the latest bugfix release of
WWW Threads (wwwthreads v2.7.3), and all earlier releases that I have
checked (2.6.* and 2.7.*).

The author, rbaker@screamingweb.com, was notified of these problems on Sat,
15 Aug 1998.


Regards,

Ken Williams

Packet Storm Security http://www.Genocide2600.com/~tattooman/index.shtml
E.H.A.P. Corporation  http://www.ehap.org/  ehap@ehap.org info@ehap.org
NCSU Comp Sci Dept    http://www.csc.ncsu.edu/ jkwilli2@adm.csc.ncsu.edu
PGP DSS/DH/RSA Keys   http://www.genocide2600.com/cgi-bin/finger?tattooman

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH