Fiero Factory Security

[robert]

I sent the Webmaster of the site a mail over a week ago with no response, so I am posting the info here for members information.

The Fiero Factory website is insecure. The user database is wide open, as is the setup file.

This is what I was able to pull off the site, a subset of the user database and a portion of the setup file.

xxxxx|Andy Green|admin|Andrew|Green|xxxxx@raima.co.uk|on
xxxxx|Steve|normal|Stephen|Briddon|xxxxx@fierofact ory.org|on
xxxxx|Andy|admin|Andrew|Green|xxxxx@agwebsites.co. uk|on
xxxxx|jawsbyte|normal|John|Williams|john.williams@ xxxxx.net|on
xxxxx|mike|normal|mike|shepherd|steeringeng@xxxxx. com|on
xxxxx|rocket|normal|Roger|Williamson|r.williamson1 @xxxxx.com|on
xxxxx|Andrew|normal|Andrew|Green|xxxxx@agsite.co.u k|on

# $cgiurl is the URL corresponding to $cgidir
# Use full URL

$cgiurl = "http://www.fierofactory.org/cgi-bin/dcforum";

# $maindir is the directory path to the /htdocs/dcforum

$maindir = "/xxxxx/xxxxx/_f/_i/_e/fierofactory.org/public/www/dcforum";

# $mainurl is the URL corresponding to $maindir

$mainurl = "http://www.fierofactory.org/dcforum";


The information to correctly configure the security is part of the install documents.

[Miket]

>
>The Fiero Factory website is insecure. The user database is
>wide open, as is the setup file.
>

That doesn't surprise me one bit.

[chris m]

Are we (by default) "registered" with this site then?

Can we all go in and delete our userids :+ or other peoples (but who would do something like that?) {-} {-}

[robert]

>Are we (by default) "registered" with this site then?

No, we are not registered by default on the fiero factory site.

>Can we all go in and delete our userids :+ or other peoples
>(but who would do something like that?) {-} {-}

No, it would be illegal to run Lophtcrack on the user database and enumerate the passwords, hence the reason I have deleted the passwords from the post above.

[agwebsites]

Thanks Robert,

You know my email address so why didn't you contact me directly about it.

When I have found problems with your forum in the past I have both emailed you the information and tried to help you fix them with as much information as posible.

Well I guess you have shown your true colours to everyone now!!

Andy



http://www.corporanda.com/cos-race.gif

http://www.fierofactory.org

[ejr]

>>
>>The Fiero Factory website is insecure. The user database is
>>wide open, as is the setup file.
>>

>That doesn't surprise me one bit.

May I ask why ?


eric.rundle@ntu.ac.uk

[robert]

Andy

Please re-read my original post.

"I sent the Webmaster of the site a mail over a week ago with no response, so I am posting the info here for members information."

[agwebsites]

I have been through my emails and I have not received one email from you regarding the matter. I have other emails from you set last week so that would suggest you never did send an email.


Andy

http://www.corporanda.com/cos-race.gif

http://www.fierofactory.org

[robert]

Andy

The emails are in my sent box.

Regarding your recent emails to me.

1. I am not a t*at
2. I did not hack your site, the information is readily available to anyone who cares to look at it. I suggest you secure the server before accusing me of hacking the site and look forward to hearing from your legal team in due course.

[agwebsites]

If you emailed me through the forum then it wouldn't have been stored in your sent box now would it!

Andy



http://www.corporanda.com/cos-race.gif

http://www.fierofactory.org