CVE-2002-0202 in PaintBBS
Summary
by MITRE
PaintBBS 1.2 installs certain files and directories with insecure permissions, which allows local users to (1) obtain the encrypted server password via the world-readable oekakibbs.conf file, or (2) modify the server configuration via the world-writeable /oekaki/ folder.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 09/22/2025
The vulnerability identified as CVE-2002-0202 affects PaintBBS version 1.2, a web-based bulletin board system that was widely used in the early 2000s for online communities and forums. This security flaw represents a classic case of improper access control and privilege escalation through insecure file system permissions. The vulnerability stems from the application's installation process where critical configuration files and directories are created with overly permissive access controls that violate fundamental security principles of least privilege and proper access management.
The technical implementation of this vulnerability manifests through two distinct attack vectors that exploit different permission levels on the file system. The first vector involves a world-readable configuration file named oekakibbs.conf which contains encrypted server password information. This file is accessible to any user on the system, allowing local attackers to extract authentication credentials that could potentially be used to gain unauthorized access to the bulletin board system or related services. The second vector targets a world-writable directory structure located at /oekaki/ which permits any local user to modify server configuration files and potentially alter system behavior. This dual nature of the vulnerability demonstrates poor security design where the application fails to properly enforce access controls during installation and runtime operations.
From an operational perspective, this vulnerability represents a significant risk to systems running PaintBBS 1.2 as it provides attackers with both credential theft capabilities and configuration modification privileges. The local privilege escalation aspect means that any user with access to the system can exploit these weaknesses without requiring external network access or complex attack vectors. The impact extends beyond simple unauthorized access to include potential system compromise through configuration manipulation that could lead to service disruption, data corruption, or further attack escalation. This vulnerability directly violates the principle of least privilege as defined in the CWE taxonomy under CWE-732, which specifically addresses improper permissions for critical security parameters.
The exploitation of this vulnerability aligns with several ATT&CK framework techniques including privilege escalation through access token manipulation and defense evasion through file and directory permissions modification. The insecure file permissions represent a persistent security weakness that remains exploitable until properly addressed through system hardening or application updates. Organizations running legacy systems like PaintBBS 1.2 should immediately investigate and remediate these permission settings to prevent potential unauthorized access. The recommended mitigation strategies include proper file permission management where sensitive configuration files are set to read-only for the appropriate user accounts only, and world-writable directories are either removed or restricted to authorized administrators. This vulnerability also highlights the importance of security auditing during software installation processes and the need for comprehensive permission reviews to ensure that security controls are properly implemented and maintained throughout the system lifecycle.