WWWBoard is a threaded World Wide Web discussion forum and message board, which allows users to post new messages, follow-up to existing ones. This product has been found to contain two vulnerabilities:
1) Default passwords are used (but can be changed, of course).
2) The password file is world readable.
By following WWWBoards install instructions exactly; you are leaving yourself open to the risk of possible attack through the wwwadmin.pl script. The writer of WWWBoard was at least smart enough to include some type of username/password checking, but he didn't have the idea to force the wwwboard administrator to pick/create a password for the webadmin account before the board would work. Instead he created a default account:
The password is written into passwd.txt and it has to remain world readable for the local users to read the file. The password in this file is encrypted with crypt(), but because you are able to view the file, an attacker can easily run a dictionary attack against it.
Suggested course of action:
1) Change the default password to something less obvious.
2) Move the file into a directory where it cannot be accessed from the WWW. You can do this easily by changing the $passwd_file variable from passwd.txt to "/path/to/non-web/dir/brdpass.txt" (you should first rename passwd.txt to brdpass.txt and move into that directory).