On bugtrack, someone posted a security bug on AnyBoard. Is it true?
YES there is a most serious security hole built in to the forum software. by default the anyboard SW comes with an admin account with empty password and no where is mentioned such. the built in default admin backdoor allows ALL world to isntall and run whatever they want on your webspace.
I have been myself victim of multiple exploitation of my 5 forums
when I noticed the security breach and root cause of it, I contacted the support by email and got NO reply and NO help at all, also forum posts remained unanswered. at that time there were many times more installs on the web than today 2011.
i search on Google a few dozen forum installs and ALL webmasters who replied to my security notification found their own forum compromised. I was runiing a commercial version (paid) of the forum. all email request remained without reply, a post in the suppor forum went unanswered.
If you check on the anyboard website the support forum, you’ see that that page (he support) has been removed.
If you search Google for installed anyboard forums,
inurl:anyboard.cgi
there still are a few hundred thousand installs out there. some may be installs never used but still acting as hacker sites
if you have such a forum, SECURE it when stillĀ in use or delete it if unused.
No. The person who posted the bug had no clue and the bug report was complete bogus. And he actually continued using AnyBoard for a very long time without worrying about the big holes he claimed to exist in AnyBoard. The passwords in AnyBoard are all one-way encrypted just like UNIX passwords using the same crypt() function. One can’t get the original password back from the encrypted ones. Also, on systems with permissions set properly, the .forum_cfg file is not readable off the web. 51. I got authentication error when trying to create a new forum. To create a new forum, you must have the password for the master administrator. You set the master admin login and password during the script install step. If you have forgotten the password, do this 1) find a file named “config” under the $master_cfg_dir of your installation 2) delete the file 3) re-run the ?cmd=init command to re-create master admin account 4) proceed to create new forum using the newly created master admin.
