Home    |    View Topics    |    Search    |    Contact Us    |   



Category:   Application (Generic)  >   BiTBOARD Vendors:   BiTSHiFTERS
BiTBOARD Discloses Administrator's Hashed Password to Remote Users
SecurityTracker Alert ID:  1007162
SecurityTracker URL:
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Jul 10 2003
Impact:   Disclosure of authentication information
Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): 2
Description:   A vulnerability was reported in the BiTBOARD (bitboard2) forum software. A remote user can view the administrator's hashed password.

It is reported that a remote user can access the hashed password from the "/admin/data_passwd.dat" file.

Impact:   A remote user can obtain the administrator's hashed password and attempt to crack it.
Solution:   No solution was available at the time of this entry. The vendor reportedly plans to issue a fix in the next release.
Vendor URL: (Links to External Site)
Cause:   Access control error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   None.

 Source Message Contents

Subject:  Information Disclosure Vulnerability in bitboard2


Advisory Information
Advisory Name      : Information Disclosure Vulnerability in bitboard2
Author             : Marc Bromm <> Germany
Discover by        : Marc Bromm <> Germany
Release Date       : 9. Juli 2003
Application        : bitboard2 (textfile based board)
Vendor Homepage    :
Vendor Status      : notified
Vulnerable Versions: bitboard2  (maybe older)
Platforms          : OS Independent, PHP
Severity           : High


The bitboard2 is a board that need no database to work. So it is useful
for webmaster that have no access to a sql database.


1. Get the admin passwort hash

The crypt hash of the admin password is stored in
Everyone has access to it. So only get the hash and crackit with john.

The real problem is that many admins don't use secure passwort ;-)

######Vendor Response:

They told me that they are going to fix it in the next version.

Greetz to:

Erik, (O_o)oOoOoOo.

-- - The professional email service


Go to the Top of This SecurityTracker Archive Page

Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, LLC