From: Secunia Security Advisories (sec-advsecunia.com)
Date: Sat Jul 12 2003 - 05:48:43 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

TITLE:
forum51 / board51 / news51 Password Hash Disclosure

READ ONLINE:
http://www.secunia.com/advisories/9253/

CRITICAL:
Less critical

IMPACT:
Exposure of sensitive information

WHERE:
From remote

SOFTWARE:
forum51 2.x
board51 1.x
board51 2.x
news51 1.x

DESCRIPTION:
An information disclosure vulnerability has been reported in forum51,
board51, and news51, which can be exploited by malicious people to
gain knowledge of a user's password hash.

The vulnerability is caused due to an access control error allowing
anyone to access "user.idx" in the "data/" directory, which contains
the password hashes. It may then be possible to identify the password
by brute forcing it using a dictionary attack.

The vulnerability has been reported in the following versions, but
others may also be affected:
- board51 v1.0b and v2.0
- forum51 v2.5b and v2.6b
- news51 v1.0a and v1.5

SOLUTION:
Restrict access to the "data/" directory and use strong passwords.

REPORTED BY / CREDITS:
Marc Bromm

----------------------------------------------------------------------

Secunia recommends that you verify all advisories you receive, by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.

Contact details:
Web : http://www.secunia.com/
E-mail : supportsecunia.com
Tel : +44 (0) 20 7016 2693
Fax : +44 (0) 20 7637 0419

----------------------------------------------------------------------

Unsubscribe: Secunia Security Advisories

----------------------------------------------------------------------

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]