OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: wwwboard my help reveal user name and password
From: Shelagh Pepper (spepperWLU.CA)
Date: Fri Jul 07 2000 - 11:23:39 CDT


Work around is to deny access to passwd.txt files
Apache specific directive is:

<Files passwd.txt>
     Order allow,deny
     Deny from all
</Files>

I would put a .htaccess file in wwwboards similar to the following:

<Files *.txt>
     Order allow,deny
     Deny from all
</Files>
ErrorDocument 403 /Lame_excuses/not_found.html

Shelagh

At 03:00 AM 7/7/00 -0400, Julian Linton wrote:
>This is probably well know already. if wwwboard.pl is install with most of
>it default settings any web user can access
><http://www.somesite.com/wwwboard/passwd.txt>www.somesite.com/wwwboard/passwd.txt
>this will show the username and encrypted password for the wwwadmin.pl
>script. I did a search on the internet and many of the site that are
>running wwwboard use the same password and username for other service,
>such as ftp or telnet. I feel this can be a problem since the passwd.txt
>file is world readable.
>
>Julian Linton
>CIS Student FAMU.EDU
>jlintoncis.famu.edu