FUDforum: Bug Reports » uninstall.php

Home » FUDforum Development » Bug Reports » uninstall.php

Show: Today's Messages :: Polls :: Message Navigator

uninstall.php [message #24625]

Sat, 07 May 2005 10:50

danger

Messages: 11
Registered: May 2005
Location: Slovakia

Karma:

Junior Member

firstly: I don't know if i can call this "bug" but it is really big security hole :/

I have taken note that in the forum directory, there is a uninstall.php script. So I have decided to touch if from web. I got a html form, where I have just added /home/user and it deleted everything under this directory that was deletable by group under the apache is running (note that if it was running under root, attacker could remove whole filesystem)!!! (luckily I had everything backuped.)

I think that this script could be chmoded to 000 after forum install and when user decide to uninstall his forum, he will need to chmod it to 644. alternatively, there should be some kind of authentification method, since the after-effects should be really bad if some attacer is able to run this script :/

[Updated on: Sat, 07 May 2005 11:05]

Report message to a moderator

[Message index]

		uninstall.php By: danger on Sat, 07 May 2005 10:50
		Re: uninstall.php By: Ilia on Sat, 07 May 2005 15:12
		Re: uninstall.php By: danger on Sat, 07 May 2005 16:25
		Re: uninstall.php By: Ilia on Sat, 07 May 2005 17:22
		Re: uninstall.php By: danger on Sat, 07 May 2005 17:42
		Re: uninstall.php By: Ilia on Sat, 07 May 2005 18:25

Previous Topic:	Errors on [New topic] and [Reply] functions when using [Romanian]
Next Topic:	hidden category

Goto Forum:

-=] Back to Top [=-

[ Syndicate this forum (XML) ] [

]

Current Time: Thu Nov 28 02:03:23 GMT 2024

Total time taken to generate the page: 0.03831 seconds