Date: Sat, 24 Apr 1999 03:55:39 +0200
From: "Bluefish [@ home]" <11a@GMX.NET>
To: BUGTRAQ@netspace.org
Subject: Anyboard (www.netbula.com) problem's publicly discussed in eurohack

Draz Q published a short summary of problems with a webrelated software in
eurohack. Basicly it sounds pretty much like a common CGI problem. It
does not give user or root access, only the ability to fake/modify just
about anything showed by the program. However, in the parts left out by me
Draz Q mentiones a great many sites (including commercial sites) exposed
to the vulnarbility.

=========================================================================
Anyboard Forum Security Hazard - POSTED ON  Eurohack and Radikal 23/04/99
by draz Q.
=========================================================================
Anyboard by Netbula (www.netbula.com)

After using the Anyboard Forum at my own page (www.radikal.net/radikal)
for
a while I've found a "little" (?) flaw in it that allows _anyone_ to get
the
admin login and password. This is because the forum CFG file is available
to
anyone.

This, allows anyone to,
- Delete messages in the forum (purge the whole forum)
- Modify messages
- Write messages as Admin
- Change admin login and password
- In short, do anything in the Message forum

[official] http://www.11a.nu/
[mirror.1] http://194.236.13.242/11a/index.html
[mirror.2] http://home.swipnet.se/~w-12702/11A/
[my.email] ealliance$hotmail.com || 11a$gmx.net