Vulnerability Development mailing list archives
BadBlue v1.02 beta for Windows 98, ME and 2000 .php Source Code Disclosure Vulnerability
From: "acz [iSecureLabs]" <aurelien.cabezon () iSecureLabs com>
Date: Wed, 22 Aug 2001 11:11:28 +0200
-- [ iSecureLabs BadBlue v1.02 beta for Windows 98, ME and 2000 Advisory ] -- BadBlue v1.02 beta for Windows 98, ME and 2000 .php Source Code Disclosure Vulnerability Problem discovered: 22/08/2001 -- [ Overview ] -- BadBlue http://badblue.com/ is a tiny, free download that lets you share files, search other PCs and even run powerful web applications. Badblue support .php extension. It is possible to retrieve full .php source code. -- [ Description ] -- Badblue contains an input validation vulnerability which may lead to download the full source code of .php pages. This is due to a lack of checks for NULL bytes. Exemple: http://myBadBlue.com/test.php%00 Note: It is possible too to download .dll file used by BadBlue. Exmeple: http://myBadBlue.com/ext.dll%00 -- [ Tested Version ] -- BadBlue v1.02 beta for Windows 98, ME and 2000 -- [ Discovered by ] -- Cabezon Aurelien | aurelien.cabezon () iSecureLabs com http://www.iSecureLabs.com | French Security portal http://www.isecurelabs.com/advisory/badblue.html
Current thread:
- Cell phone access to email David B. Harrison (Aug 21)
- BadBlue v1.02 beta for Windows 98, ME and 2000 .php Source Code Disclosure Vulnerability acz [iSecureLabs] (Aug 22)
- Re: Cell phone access to email Fred Newtz (Aug 22)
- RE: Cell phone access to email Stephen A Santos (Aug 22)
- Re: Cell phone access to email Robert Freeman (Aug 22)
- <Possible follow-ups>
- RE: Cell phone access to email John Thornton (Aug 22)
- RE: Cell phone access to email David B. Harrison (Aug 22)
- Re: Cell phone access to email Thor (Aug 22)
- RE: Cell phone access to email David B. Harrison (Aug 26)