I notified some authoritive figures of the message board site but got mixed responses. After a while one said to fill in their own security tracker service, whilst others who replied were pretty blase about the problem: like they weren't interested in it.

After a few days there has been no announcement and the exploit is still in place. So what do you do? Do you take this to a third party security advisor service to force it in the open?

Or do you sit on your hands and let the message board app team sort this out themselves?

---

For the record the software is a release candidate and not the final version. But I do believe there are many sites out there running this version of the software with the flaw.

Details of the exploit:

The exploit is due to new permissions which, out of the box, are not set correctly for a certain group. It is possible to masquerade as that group and perform the following:

1. Post messages on a message board which has turned off anonymous posting

2. Email users of the message board who have set to be allowed to be emailed from registered users (although the exploit is from an non-registered user)

3. Exploit the 'email this to a friend' system where the non registered users can not access this feature but the non-registered masquerading group can.

IMO the last one is of the significance, but not the scale, of the original formmail exploit. Points 1 and 2 are just a spammers dream and will wreck many boards.

The solution to the problem is simple: Those running the software today just need to revoke certain rights. For future releases the software needs to have the rights revoked at the start.

[edited by: Frank_Rizzo at 3:37 pm (utc) on June 21, 2007]