8< --------------------------------------------------------------------

Chit Chat security problem


Chit Chat has it's permissions all wrong. This allows anyone to remotely
read sensetive files such as the encrypted passwd.txt file. Anyone
can read it --> crack it and alter the board as tough he was the
administrator...


-rw-rw-r--    1 zillion   zillion          0 Oct 18 16:00 data.txt
-rw-rw-r--    1 zillion   zillion          0 Oct 18 16:03 footer.html
-rw-rw-r--    1 zillion   zillion          0 Oct 18 16:00 header.html
-rw-rw-r--    1 zillion   zillion         44 Oct  7 07:05 index.html
-rwxrwxrwx    1 zillion   zillion          0 Oct 18 16:00 ip.txt
-rw-rw-r--    1 zillion   zillion          0 Oct 18 16:00 message.txt
-rwxrwxrwx    1 zillion   zillion         13 Oct  7 07:05 passwd.txt
-rw-rw-r--    1 zillion   zillion        151 Oct 21 13:37 strip.txt


The developers say this in their readme.txt:

---cut---

2. CHMOD the files directory to 777 (world read/writeable)
3. CHMOD the archive directory to 777 (world read/writeable)
4. CHMOD ip.txt, passwd.txt, data.txt and strip.txt to 777 (world read/writable)

---cut---

So.. the permissions are wrong and information such as a password file
should never be stored in the served directories.

The developers have been notified but failed to release any fix yet...

zillion

http://www.safemode.org
http://cgi-security.org

8< ------------------------------------------------------------------------