COMMAND

    wwwthreads

SYSTEMS AFFECTED

    Systems using WWW Threads up to v2.7.3

PROBLEM

    Ken Williams found  following.  The  WWW Threads discussion  forum
    software from:

        http://www.screamingweb.com/wwwthreads/

    several security holes  and coding weaknesses.   When running  the
    install script,  the data  directories are  created in  a publicly
    accessible  area.   The  install  instructions  direct the user to
    create  the  data  directory  in  a  publicly accessible directory
    under "html" or "public_html" also.  The data directories contain,
    among other things, administrator  and user logins and  passwords.
    These passwords are written to  files in plaintext, and the  files
    can  easily  be  viewed  and/or  downloaded  by  anyone with a web
    browser.  It seems  there are no error  or bounds checking in  the
    administrative cgi scripts either,  so exploit code can  easily be
    executed remotely once the plaintext passwords are retrieved.

    These bugs  and security  holes are  present in  the latest bugfix
    release  of  WWW  Threads  (wwwthreads  v2.7.3),  and  all earlier
    releases that have been checked (2.6.* and 2.7.*).

SOLUTION

    Suggested fixes:

    1) move the data  directories to non-publicly accessible  area and
       correct the appropriate lines in the cgi scripts.
    2) remove all (g) and (o) permissions to prevent local exploit.
    3) use the  UNIX crypt() function  or something similar  to encode
       passwords written to files.
    4) add  a "referer"  variable to  the cgi  scripts so commands can
       only be executed on local server that has WWW Threads installed