|
Brought to you by:
Suppliers of:
|
|
|
| |
WWWBoard is a threaded World Wide Web discussion forum and message board, which allows users to post new messages, follow-up to existing ones. This product has been found to contain two vulnerabilities:
1) Default passwords are used (but can be changed, of course).
2) The password file is world readable. |
| |
Credit:
WWWBoard's home page can be found at:
http://www.worldwidemart.com/scripts/wwwboard.shtml
|
| |
By following WWWBoards install instructions exactly; you are leaving yourself open to the risk of possible attack through the wwwadmin.pl script. The writer of WWWBoard was at least smart enough to include some type of username/password checking, but he didn't have the idea to force the wwwboard administrator to pick/create a password for the webadmin account before the board would work. Instead he created a default account:
Username: WebAdmin
Password: WebBoard
The password is written into passwd.txt and it has to remain world readable for the local users to read the file. The password in this file is encrypted with crypt(), but because you are able to view the file, an attacker can easily run a dictionary attack against it.
Suggested course of action:
1) Change the default password to something less obvious.
2) Move the file into a directory where it cannot be accessed from the WWW. You can do this easily by changing the $passwd_file variable from passwd.txt to "/path/to/non-web/dir/brdpass.txt" (you should first rename passwd.txt to brdpass.txt and move into that directory).
|
| Subject:
|
stpr foreclosure |
Date: |
17 Jul. 2006 |
| From: |
stop foreclosure |
| Not sure if im posting this right but the article, the one above the comments, blog page, is preety good and im glad you take the time to write this. You can email me if you like as I am in a wheelchair and looking for penpals |
|
|
|
|
|
|
