anyboard.forum.passwd.txt

`Date: Sat, 24 Apr 1999 03:55:39 +0200  
From: "Bluefish [@ home]" <[email protected]>  
To: [email protected]  
Subject: Anyboard (www.netbula.com) problem's publicly discussed in eurohack  
  
Draz Q published a short summary of problems with a webrelated software in  
eurohack. Basicly it sounds pretty much like a common CGI problem. It  
does not give user or root access, only the ability to fake/modify just  
about anything showed by the program. However, in the parts left out by me  
Draz Q mentiones a great many sites (including commercial sites) exposed  
to the vulnarbility.  
  
=========================================================================  
Anyboard Forum Security Hazard - POSTED ON Eurohack and Radikal 23/04/99  
by draz Q.  
=========================================================================  
Anyboard by Netbula (www.netbula.com)  
  
After using the Anyboard Forum at my own page (www.radikal.net/radikal)  
for  
a while I've found a "little" (?) flaw in it that allows _anyone_ to get  
the  
admin login and password. This is because the forum CFG file is available  
to  
anyone.  
  
This, allows anyone to,  
- Delete messages in the forum (purge the whole forum)  
- Modify messages  
- Write messages as Admin  
- Change admin login and password  
- In short, do anything in the Message forum  
  
[official] http://www.11a.nu/  
[mirror.1] http://194.236.13.242/11a/index.html  
[mirror.2] http://home.swipnet.se/~w-12702/11A/  
[my.email] ealliance$hotmail.com || 11a$gmx.net  
  
`