On Fri, 17 Sep 1999 05:09:38 PDT, David Weins wrote:
> Since I didn't see any of this mentioned in any of the archieved WWWBoard
> articles from bugtraq, I decidied to send it in.
[...]
Does anyone maintain a list of WWWBoard bugs? (As Matt Wright clearly
isn't interested...)
> If you haven't looked over the scripts or at least read the entire
> ADMIN_README file to begin with (which you should do when you download
> any program) you can see that there is a variable to where to store/name
> the password file. This variable is called $passwd_file. Since the file
> needs to be open to writings and readings your best bet would be to move
> the file into a directory where it cannot be access from via the world
> wide web. You can do this easily by changing the $passwd_file variable
> from passwd.txt to "/path/to/non-web/dir/brdpass.txt" -- then rename
> passwd.txt to brdpass.txt and move into that directory. It at least
> provides you with a little more security than this insecure program
> does for you, or even suggests for you.
Sometimes you won't be able to do this - for example if your home
directory is your htdocs directory, which is the case for some ISPs. A
workaround is to prevent the web server from returning the passwd.txt
file, whilst still permitting the file to be read/written by the CGI
script.
In Apache you'd configure this as follows:
<Files passwd.txt>
deny from all
</Files>
Cheers,
Chris
