FUDforum
Fast Uncompromising Discussions. FUDforum will get your users talking.

Home » FUDforum Development » Bug Reports » uninstall.php
Show: Today's Messages :: Polls :: Message Navigator
Return to the default flat view Create a new topic Submit Reply
uninstall.php [message #24625] Sat, 07 May 2005 10:50 Go to previous message
danger is currently offline  danger   Slovakia
Messages: 11
Registered: May 2005
Location: Slovakia
Karma:
Junior Member
firstly: I don't know if i can call this "bug" but it is really big security hole :/

I have taken note that in the forum directory, there is a uninstall.php script. So I have decided to touch if from web. I got a html form, where I have just added /home/user and it deleted everything under this directory that was deletable by group under the apache is running (note that if it was running under root, attacker could remove whole filesystem)!!! (luckily I had everything backuped.)

I think that this script could be chmoded to 000 after forum install and when user decide to uninstall his forum, he will need to chmod it to 644. alternatively, there should be some kind of authentification method, since the after-effects should be really bad if some attacer is able to run this script :/

[Updated on: Sat, 07 May 2005 11:05]

Report message to a moderator

[Message index]
 
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Previous Topic: Errors on [New topic] and [Reply] functions when using [Romanian]
Next Topic: hidden category
Goto Forum:
  

-=] Back to Top [=-
[ Syndicate this forum (XML) ] [ RSS ]

Current Time: Thu Nov 28 04:43:53 GMT 2024

Total time taken to generate the page: 0.04919 seconds