[11970] in bugtraq
Re: More fun with WWWBoard
daemon@ATHENA.MIT.EDU (Patrick Oonk)
Thu Sep 23 18:08:31 1999
Mime-Version: 1.0
Content-Type: multipart/signed; boundary=m+jEI8cDoTn6Mu9E; micalg=pgp-md5;
protocol="application/pgp-signature"
Message-Id: <19990922224222.L25386@atro.pine.nl>
Date: Wed, 22 Sep 1999 22:42:22 +0200
Reply-To: patrick@pine.nl
From: Patrick Oonk <patrick@PINE.NL>
X-To: Mark Jeftovic <markjr@PRIVATEWORLD.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <3.0.6.32.19990921155109.00982de0@mail.privateworld.com>; from
Mark Jeftovic on Tue, Sep 21, 1999 at 03:51:09PM -0700
--m+jEI8cDoTn6Mu9E
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: quoted-printable
On Tue, Sep 21, 1999 at 03:51:09PM -0700, Mark Jeftovic wrote:
> At 01:24 PM 9/20/99 +0100, Chris Ridd wrote:
> >Does anyone maintain a list of WWWBoard bugs? (As Matt Wright clearly
> >isn't interested...)
> >
>=20
> Doesn't look like it. I posted a vulnerability in his guestbook script
> to this list about 2 years ago (ironically entitled "Guestbook script
> is still vulnerable") and looking at it today ...the guestbook script
> is still vulnerable.
Matt Wright is one of the worst, but check out=20
http://www.ultimatebb.com/home/firsttimeinstall.html for a few
good laughs:
"UNIX and All Others: If you are installing on a UNIX-based server, you
must set your permissions as follows:=20
Set your NON CGI directory to 777.=20
Set your Members Directory to 777.
Within the Members directory, set the Admin5.cgi to 777, as well.=20
Set your CGI Directory to 755. Within the CGI directory, set all files to 7=
55,=20
except for the variable files (mods.file, Styles.file, UltBB.setup
and forums.cgi), which should be set to mode 777.=20
If your web server does not allow you to have files set to mode 777 within=
=20
the CGI directory, you will need to make the changes noted here. Most web
servers do not have this restriction. "
Not even a note that this could be bad.
Patrick
--=20
Patrick Oonk - PO1-6BONE - patrick@pine.nl - www.pine.nl/~patrick
Pine Internet B.V. PGP key ID BE7497F1 =20
Tel: +31-70-3111010 - Fax: +31-70-3111011 - http://www.pine.nl/
-- Pine Security Digest - http://security.pine.nl/ (Dutch) ----
Excuse of the day: Digital Manipulator exceeding velocity
parameters
--m+jEI8cDoTn6Mu9E
Content-Type: application/pgp-signature
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia
iQB1AwUBN+k/LfMOST2+dJfxAQEBYwMAghcXjvZGbA7LapqXqcCuAqipPy2reeFc
wVcGM/vQWh04JvSQzedfQz/wdyfj0kvsoedxSPWpfvOEIbIAJVsR0I0jdPIiznNm
Avb5sl3DI3igjc9ND9dWp7Yadpx9hQSr
=MNaL
-----END PGP SIGNATURE-----
--m+jEI8cDoTn6Mu9E--
