This is the reason why I didn't wanna volunteer to install UBB for you
guys. The responsilibity of having it secure..
Here's a few issues with UBB.
1. Chmod 777 which is always a BAD idea. (i.e. any user on SLP server can
find out the admin passwords,etc..)
2. Your member files are all .cgi and +x, and check out what's on the
first line.... You guys should be able to figure it out..
This is only 2 of the secuity loopholes in UBB. They are not really
loopholes but POSSIBLE loop holes.. I've yet to hunt them all out and
would feedback when I've more..
UBB was quite sloppily written and requires patching and constant
monitoring. CGI-Wrapping and 750 solves the problem usually.
Elvin
-
On Mon, 11 Oct 1999, Caleb wrote:
> Date: Mon, 11 Oct 1999 08:10:28 +0800
> From: Caleb <[EMAIL PROTECTED]>
> Reply-To: [EMAIL PROTECTED]
> To: [EMAIL PROTECTED]
> Subject: Re: [SLP] Re: Ultimate Bulletin Board Ready
>
> Hi Eugene & All,
>
> Urm not very sure about this, I was following the instructions from UBB at
> http://www.ultimatebb.com/home/firsttimeinstall.shtml
>
> They said to "Set your CGI Directory to 755. Within the CGI directory, set
> all
> files to 755, except for the variable files (mods.file, Styles.file,
> UltBB.setup and forums.cgi), which should be set to mode 777."
>
> I'll see what i can dig up in the meantime..
>
> Caleb
>
> ----- Original Message -----
> From: Eugene Teo <[EMAIL PROTECTED]>
> To: <[EMAIL PROTECTED]>
> Cc: Caleb <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>
> Sent: Monday, October 11, 1999 12:47 AM
> Subject: Re: [SLP] Re: Ultimate Bulletin Board Ready
>
>
> >
> > Hmm is there a need to make the UBB configuration files chmod 777??
> > and our webserver is running as nobody. hmmmm.
> >
> > --
> > main(i){putchar(182623909>>(i-1)*5&31|!!(i<7)<<6)&&main(++i);}
> > [EMAIL PROTECTED] - http://linux.com.sg/~amnesia/
> >
> > "WinError FFF: Ran out of memory for more error messages."
> >
> >
> > On Mon, 11 Oct 1999, Eugene Teo wrote:
> >
> > >
> > > Oh yes, please do make sure that UBB doesn't pose a security risk. Thank
> > > you. I will update you and the list if there is something that i
> > > discovered doesn't seem right. Join you in 3-4 weeks time.
> > >
> > > --
> > > main(i){putchar(182623909>>(i-1)*5&31|!!(i<7)<<6)&&main(++i);}
> > > [EMAIL PROTECTED] - http://linux.com.sg/~amnesia/
> > >
> > > "WinError FFF: Ran out of memory for more error messages."
> > >
> > >
> > > On Mon, 11 Oct 1999, Ng Kai Hoe Raymond wrote:
> > >
> > > > Caleb wrote:
> > > >
> > > > > Hi Raymond, Ok the board's up. Here are the details: Board
> Location -
> > > > > http://www.linux.com.sg/cgi-bin/ubb/Ultimate.cgiAdministrator's
> Area -
> > > > > http://www.linux.com.sg/ubb/cp.html Username :
> > > >
> > > > Caleb and guys,
> > > >
> > > > All thanks to Caleb that we have the forum working.
> > > > Please advice us whether we need to pay anyone money.
> > > >
> > > > The next step is to plan the kind of forums and users
> > > > policies that go with it. Let me make a few recommendations,
> > > > you can choose to fire it down, and please do feel free
> > > > to add on to my list.
> > > >
> > > > 1) Forget about the registrations, I do not want others to have
> > > > a barrier to entry to our forum. If they choose to post as
> > > > anonymous, let them do so. Caleb, is there any way to do it?
> > > >
> > > > 2) I suggest that we set some automatic mechanism to post
> > > > mails to lug-list and slugnet to be automatically posted to
> > > > one of the forum (or 2). That forum will act as an archive for
> > > > all the mails to slugnet and lug-list. It will also act as a showcase
> > > > for people who are not on those lists. Who wants to practise
> > > > their scripting and sendmail capabilities? give you a hint, use
> > > > .forward and pipe (yes, that is the word) the mail to a script
> > > > which will post to the forum. When that script is up, the system
> > > > does its own posting.
> > > >
> > > > 3) We will create 3 folders first. 1 for general discussion, technical
> > > > support, 1 for archiving slugnet's emails, 1 for archiving lug-list's
> > > > emails. Any additional folders (eg FreeSWAN, Security) can be
> > > > created on demand and need.
> > > >
> > > > That is all for now. Anyway, thanks Caleb, that is good work which
> > > > you have done there.
> > > >
> > > > Can someone write the Singapore Linux Portal's pages into a
> > > > CDROM? I guess I will be buying a CDR soon.
> > > >
> > > > --
> > > > -------------------------------------------------------------
> > > > Ng Kai Hoe Raymond Pager : 92279944 ICQ UIN : 4878260
> > > > Manager, Research and Development, Telford Solutions
> > > > Editor, Singapore Linux Portal http://linux.com.sg
> > > > Email : [EMAIL PROTECTED] / [EMAIL PROTECTED]
> > > > PGP Public Key : http://linux.com.sg/~ngkaihoe/ngkaihoe.txt
> > > >
> > > > 'This has given me the greatest trouble and still does: to realize
> > > > that what things are called is incomparably more important than what
> > > > they are.'
> > > > - Friedrich Wilhelm Nietzsche, "The Gay Science"
> > > >
> > > >
> > > >
> > >
> >
> >
>
