Bugtraq mailing list archives
Big Brother filename extension vulnerability
From: xternal1 () YAHOO COM (xternal)
Date: Tue, 11 Jul 2000 16:11:39 -0700
versions affected: bb14h2 (current) and older exploit: bbd listens for incoming connections on port 1984. Using telnet or the bb client, it is possible to connect and create a filename with an arbitrary extension, as the extension is not rigorously checked. As this file is droped into a directory accessible via the web server, any file extension that is parsed server side can be abused. For example: ./bb 1.2.3.4 "status evil.php3 <?<system(\"cat /etc/passwd\");?>" will allow viewing of the /etc/passwd upon browsing to http://1.2.3.4/bb/logs/evil.php3. solutions: -Modify bbd.c to only allowed specified file extensions(.disk, .proc ...) -Implement access restrictions via $BBHOME/etc/security to minimize exposure to vulnerabilities. Unfortunately, the default install doesn't enable the security file. __________________________________________________ Do You Yahoo!? Get Yahoo! Mail – Free email you can access from anywhere! http://mail.yahoo.com/
Current thread:
- Novell BorderManager 3.0 EE - Encoded URL rule bypass Kevin R Smith (Jul 05)
- Re: Novell BorderManager 3.0 EE - Encoded URL rule bypass Vitaly Fedrushkov (Jul 06)
- Re: Novell BorderManager 3.0 EE - Encoded URL rule bypass Knud Erik Højgaard (Jul 06)
- Re: Novell BorderManager 3.0 EE - Encoded URL rule bypass Henrik Nordstrom (Jul 10)
- Re: Novell BorderManager 3.0 EE - Encoded URL rule bypass Michael R. Rudel (Jul 12)
- The MDMA Crew's GateKeeper Exploit wizdumb () MDMA ZA NET (Jul 13)
- Big Brother filename extension vulnerability xternal (Jul 11)
- Re: Novell BorderManager 3.0 EE - Encoded URL rule bypass Henrik Nordstrom (Jul 10)
- Re: Novell BorderManager 3.0 EE - Encoded URL rule bypass Ted Behling (Jul 06)
- <Possible follow-ups>
- Re: Novell BorderManager 3.0 EE - Encoded URL rule bypass Frank Berzau (Jul 06)
- Novell BorderManager 3.0 EE - Encoded URL rule bypass Steve Banks (Jul 14)
- Re: Novell BorderManager 3.0 EE - Encoded URL rule bypass Coward, Anonymous (Jul 14)