PaintBBS oekaki World Writable Directory

2002-01-22T00:00:00
ID OSVDB:5692
Type osvdb
Reporter John Bissell "HighT1mes"(blumorpho@cox.net)
Modified 2002-01-22T00:00:00

Description

Vulnerability Description

PaintBBS contains a flaw that may allow a malicious user to obtain the encrypted server password or modify the server configuration file. The issue is a result of insecure permissions of the oekakibbs.conf file and the /oekaki/ directory. This may result in a loss of confidentiality and/or integrity.

Solution Description

Currently, there are no known upgrades or patches to correct this issue. It is possible to correct the flaw by implementing the following workarounds:

  1. Use the chmod command to change the default permissions of the /oekaki/ directory
  2. Rename the oekakibbs.conf file

Short Description

PaintBBS contains a flaw that may allow a malicious user to obtain the encrypted server password or modify the server configuration file. The issue is a result of insecure permissions of the oekakibbs.conf file and the /oekaki/ directory. This may result in a loss of confidentiality and/or integrity.

Manual Testing Notes

http://[victim]/oetaki/oekakibbs.conf http://[victim]/oetaki/

References:

Vendor URL: http://www.ax.sakura.ne.jp/~aotama/ Other Advisory URL: http://www.securityfocus.com/archive/1/251985 Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2002-01/0292.html ISS X-Force ID: 7982 CVE-2002-0202 Bugtraq ID: 3948