[11949] in bugtraq
Re: More fun with WWWBoard
daemon@ATHENA.MIT.EDU (Chris Ridd)
Tue Sep 21 14:36:31 1999
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Message-Id: <19912.937830278@MessagingDirect.com>
Date: Mon, 20 Sep 1999 13:24:38 +0100
Reply-To: Chris Ridd <Chris.Ridd@MESSAGINGDIRECT.COM>
From: Chris Ridd <Chris.Ridd@MESSAGINGDIRECT.COM>
X-To: BUGTRAQ@SECURITYFOCUS.COM
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: Your message of "Fri, 17 Sep 1999 05:09:38 PDT."
<Pine.LNX.4.10.9909170435200.30548-100000@puffer.quadrunner.com>
On Fri, 17 Sep 1999 05:09:38 PDT, David Weins wrote:
> Since I didn't see any of this mentioned in any of the archieved WWWBoard
> articles from bugtraq, I decidied to send it in.
[...]
Does anyone maintain a list of WWWBoard bugs? (As Matt Wright clearly
isn't interested...)
> If you haven't looked over the scripts or at least read the entire
> ADMIN_README file to begin with (which you should do when you download
> any program) you can see that there is a variable to where to store/name
> the password file. This variable is called $passwd_file. Since the file
> needs to be open to writings and readings your best bet would be to move
> the file into a directory where it cannot be access from via the world
> wide web. You can do this easily by changing the $passwd_file variable
> from passwd.txt to "/path/to/non-web/dir/brdpass.txt" -- then rename
> passwd.txt to brdpass.txt and move into that directory. It at least
> provides you with a little more security than this insecure program
> does for you, or even suggests for you.
Sometimes you won't be able to do this - for example if your home
directory is your htdocs directory, which is the case for some ISPs. A
workaround is to prevent the web server from returning the passwd.txt
file, whilst still permitting the file to be read/written by the CGI
script.
In Apache you'd configure this as follows:
<Files passwd.txt>
deny from all
</Files>
Cheers,
Chris
