| SECURITY HOLE in 2.0 [message #5077] |
Tue, 20 August 2002 15:48  |
PestControl
Messages: 1
Registered: June 2002
Location: Greenfield, MA
Karma: 0
|
Junior Member |
|
|
Hi, folks. Look what my intrusion detection system caught:
GET /forum/tmp_view.php?file=/etc/passwd
I tested it and it does what you'd expect. Since my IDS caught it, that means it's already being actively exploited by system crackers.
The file tmp_view.php from FUDForum 2.0 can be used to view any file on the machine that's readable by the user the web server runs as. This is a Bad Thing(tm).
I upgraded to FUDForum 2.2.3 and the problem has been fixed. I only bring it up here because I believe it's important that people running older versions of the forum software be made aware of this problem and upgrade ASAP.
Bleeding head GOOD, healed head BAD!!
[Updated on: Tue, 20 August 2002 15:53] Report message to a moderator |
|
|
|
| Re: SECURITY HOLE in 2.0 [message #5080 is a reply to message #5077] |
Tue, 20 August 2002 16:09  |
Ilia
Messages: 13241
Registered: January 2002
Karma: 0
|
Senior Member
Administrator
Core Developer |
|
|
This is a security fault found in versions <2.2, and was resolved in version 2.2.0. At the time of that release a note was made about this vunreability.
FUDforum Core Developer
|
|
|
|
Calendar
Search
Help
Members
Register
Login
Home
]