FUDforum
Fast Uncompromising Discussions. FUDforum will get your users talking.

Home » FUDforum Development » Bug Reports » SECURITY HOLE in 2.0
Show: Today's Messages :: Polls :: Message Navigator
Switch to threaded view of this topic Create a new topic Submit Reply
SECURITY HOLE in 2.0 [message #5077] Tue, 20 August 2002 15:48 Go to next message
PestControl is currently offline  PestControl   United States
Messages: 1
Registered: June 2002
Location: Greenfield, MA
Karma: 0
Junior Member
Hi, folks. Look what my intrusion detection system caught:

GET /forum/tmp_view.php?file=/etc/passwd

I tested it and it does what you'd expect. Since my IDS caught it, that means it's already being actively exploited by system crackers.

The file tmp_view.php from FUDForum 2.0 can be used to view any file on the machine that's readable by the user the web server runs as. This is a Bad Thing(tm).

I upgraded to FUDForum 2.2.3 and the problem has been fixed. I only bring it up here because I believe it's important that people running older versions of the forum software be made aware of this problem and upgrade ASAP.


Bleeding head GOOD, healed head BAD!!

[Updated on: Tue, 20 August 2002 15:53]

Report message to a moderator

Re: SECURITY HOLE in 2.0 [message #5080 is a reply to message #5077] Tue, 20 August 2002 16:09 Go to previous message
Ilia is currently offline  Ilia   Canada
Messages: 13241
Registered: January 2002
Karma: 0
Senior Member
Administrator
Core Developer
This is a security fault found in versions <2.2, and was resolved in version 2.2.0. At the time of that release a note was made about this vunreability.

FUDforum Core Developer
  Switch to threaded view of this topic Create a new topic Submit Reply
Previous Topic: post at Moderated Forum
Next Topic: Registration Error 2.3.0RC3
Goto Forum:
  

-=] Back to Top [=-
[ Syndicate this forum (XML) ] [ RSS ]

Current Time: Mon Nov 25 04:55:53 GMT 2024

Total time taken to generate the page: 0.02636 seconds