FUDforum
Fast Uncompromising Discussions. FUDforum will get your users talking.

Home » FUDforum Development » Bug Reports » SECURITY HOLE in 2.0
Show: Today's Messages :: Polls :: Message Navigator
Return to the default flat view Create a new topic Submit Reply
SECURITY HOLE in 2.0 [message #5077] Tue, 20 August 2002 15:48 Go to previous message
PestControl is currently offline  PestControl   United States
Messages: 1
Registered: June 2002
Location: Greenfield, MA
Karma:
Junior Member
Hi, folks. Look what my intrusion detection system caught:

GET /forum/tmp_view.php?file=/etc/passwd

I tested it and it does what you'd expect. Since my IDS caught it, that means it's already being actively exploited by system crackers.

The file tmp_view.php from FUDForum 2.0 can be used to view any file on the machine that's readable by the user the web server runs as. This is a Bad Thing(tm).

I upgraded to FUDForum 2.2.3 and the problem has been fixed. I only bring it up here because I believe it's important that people running older versions of the forum software be made aware of this problem and upgrade ASAP.


Bleeding head GOOD, healed head BAD!!

[Updated on: Tue, 20 August 2002 15:53]

Report message to a moderator

[Message index]
 
Read Message
Read Message
Previous Topic: post at Moderated Forum
Next Topic: Registration Error 2.3.0RC3
Goto Forum:
  

-=] Back to Top [=-
[ Syndicate this forum (XML) ] [ RSS ]

Current Time: Sat Nov 30 06:00:21 GMT 2024

Total time taken to generate the page: 0.03910 seconds