lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date: Mon, 7 Jan 2008 14:39:03 -0500
From: "Aaron Cake" <aaron@...pm.com>
To: <bugtraq@...urityfocus.com>
Subject: RE: [HSC] Snitz Forums Multiple Vulnerabilities

> - Default Database Disclosure:
> /forum/snitz_forums_2000.mdb
> Solution:
> Change the database name. The name should be a combination of 
> letters and numbers. 
> 
> That makes it hard for anyone to guess the name of your database.

As a long time Snitz user who has installed it far more times then one would
consider sane, I question the validity of this advisory. While it is true
that the default database location is insecure, it is very clear in the
readme file that the database should be moved or at the very least renamed:

"Change the database name:
When using an Access database, all the data is stored in a single file,
unlike the other databases. So caution should be taken in where you store
your Access database as it can be downloaded by anyone if they know the
path. 
If you store your Access database in a folder outside of your www folder (or
wherever you keep the files for the rest of your site), then you should be
safe because no one can download your database if it is outside of your www
folder.
If you store your database in a cgi-bin folder, or in your www folder, then
it is strongly recommended that you change the default database name from
snitz_forums_2000.mdb to a cryptic or not easy to guess name. The name
should be a combination of letters and numbers. That makes it hard for
anyone to guess the name of your database."
    -Quoted from Snitz Forums 2000 README.HTM

The solution in this advisory is the same as mentioned in the README.HTM
setup instructions, and still not a good one compared to moving the file to
a directory not accessible to the public.

> - Information Leakage:  (Version: 3.4.05)
> Will show the Database path: /forum/whereami.asp
> 

The whereami.asp is not installed by default. It is in a ZIP file that is
optional to extract. And it will only provide the physical location of the
database if the database is in a web accessible area with the whereami.asp
file.

These are configuration issues, not security vulnerabilities.

---
Aaron Cake
Technical Services
Advanced Computer Ideas
Phone: 1-519-433-0279
Fax:   1-519-433-5413

Powered by blists - more mailing lists