(hhp) 'Message Board' advisory. (hhp) hhp-ADV#9 by: loophole hhp@hhp.perlx.com 11/7/99 4:07:10am CST. --------------------------------------------------------------------- Alright, to my knowledge, there is a problem with a peice of software named 'Message Board'. You can download this software at URL: http://dreamcatchersweb.com/scripts/ The problem is based on default file/directory permissions via bad instalation steps. The following text comes from the readme file in the software at step 18.2: >The files included need to following permissions: > >board.cgi a+rx or 755 >admin.cgi a+rx or 755 >data.txt a+rw or 666 >password.txt a+rw or 666 > >You also need to set the permission of your directories: > >users a+rw or 666 >messages a+rw or 666 >reponses a+rw or 666 >archives a+rw or 666' Also contained in whatisit.txt of the software package: >The password included in this package is "password" so >I suggest you change this. A big problem is in password.txt which contains a crypt(3) password that is easily crackable via 'john the ripper' or other standard DES password crackers. Which then the cracker could access admin.cgi and change/delete the database, passwords, or anything he choses. Also thier is a users/ directory which contains user account files for the board. Also containing thier crypt(3) passwds and email addresses. I think the easiest way to fix this, is for the software programmers to touch up on the security side of thier software and to change the default permissions in the readme file. -hhp-2t0-------------------------------------------------------------