Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Web BBS :: etc :: anyboard.htm

AnyBoard - Anyone can get admin password!!!



Vulnerability

    Anyboard

Affected

    Systems running Anyboard (www.netbula.com)

Description

    Draz Q  published a  short summary  of problems  with a webrelated
    software in eurohack.  Basicly it sounds pretty much like a common
    CGI  problem.  It  does  not  give  user  or root access, only the
    ability to fake/modify just about anything showed by the program.

    After using the Anyboard Forum for a while Draz Q found a "little"
    (?) flaw in  it that allows  _anyone_ to get  the admin login  and
    password.   This is  because the  forum CFG  file is  available to
    anyone.  This, allows anyone to,

        - Delete messages in the forum (purge the whole forum)
        - Modify messages
        - Write messages as Admin
        - Change admin login and password
        - In short, do anything in the Message forum

Solution

    Nothing yet.


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH