Home »
FUDforum Development »
Bug Reports »
SECURITY HOLE in 2.0
SECURITY HOLE in 2.0 [message #5077] |
Tue, 20 August 2002 15:48 |
PestControl
Messages: 1 Registered: June 2002 Location: Greenfield, MA
Karma:
|
Junior Member |
|
|
Hi, folks. Look what my intrusion detection system caught:
GET /forum/tmp_view.php?file=/etc/passwd
I tested it and it does what you'd expect. Since my IDS caught it, that means it's already being actively exploited by system crackers.
The file tmp_view.php from FUDForum 2.0 can be used to view any file on the machine that's readable by the user the web server runs as. This is a Bad Thing(tm).
I upgraded to FUDForum 2.2.3 and the problem has been fixed. I only bring it up here because I believe it's important that people running older versions of the forum software be made aware of this problem and upgrade ASAP.
Bleeding head GOOD, healed head BAD!!
[Updated on: Tue, 20 August 2002 15:53] Report message to a moderator
|
|
|
Goto Forum:
Current Time: Thu Nov 28 20:21:01 GMT 2024
Total time taken to generate the page: 0.03742 seconds