AOH :: Web BBS :: etc :: ANYBOARD.HTM

AOH :: Web BBS :: etc :: ANYBOARD.HTM
AnyBoard - Anyone can get admin password!!!

Vulnerability

    Anyboard

Affected

    Systems running Anyboard (www.netbula.com)

Description

    Draz Q  published a  short summary  of problems  with a webrelated
    software in eurohack.  Basicly it sounds pretty much like a common
    CGI  problem.  It  does  not  give  user  or root access, only the
    ability to fake/modify just about anything showed by the program.

    After using the Anyboard Forum for a while Draz Q found a "little"
    (?) flaw in  it that allows  _anyone_ to get  the admin login  and
    password.   This is  because the  forum CFG  file is  available to
    anyone.  This, allows anyone to,

        - Delete messages in the forum (purge the whole forum)
        - Modify messages
        - Write messages as Admin
        - Change admin login and password
        - In short, do anything in the Message forum

Solution

    Nothing yet.

The entire AOH site is optimized to look best in Firefox® 3 on a widescreen monitor (1440x900 or better). Site design & layout copyright © 1986-2009 AOH
We do not send spam. If you have received spam bearing an artofhacking.com email address, please forward it with full headers to abuse@artofhacking.com.