[25645] in bugtraq
BadBlue Web Server v1.7.0 Directory Contents Disclosure
daemon@ATHENA.MIT.EDU (a b)
Mon Jun 3 14:21:40 2002
From: "a b" <p0pt4rtz@hotmail.com>
To: bugtraq@securityfocus.com
Cc: big@columbus.rr.com
Date: Sat, 01 Jun 2002 21:33:38 -0700
Mime-Version: 1.0
Content-Type: text/plain; format=flowed
Message-ID: <F178fGpdlL6lWUvQ3lK00012a19@hotmail.com>
BadBlue Web Server v1.7.0 Directory Contents Disclosure
Author: p0p t4rtz and Bit
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Release Date: May 31, 2002
Class: Input Validation Error
Remote/Local: Remote
Object: BadBlue v1.7.0 and below
Abstract::
^^^^^^^^^^
BadBlue is a well known small-scale web server for sharing files with remote
users.
The server, by default, will not let a user view the contents of a
directory. By appending the unicode variant of "%" (hex 25) it
will cause the web server to display the contents of the current directory.
Vendor Status::
^^^^^^^^^^^^^^^^^
Vendor has been contacted and has produced a fix.
Workaround::
^^^^^^^^^^^^^^
Vendor has produced a patch.
Product Fix:
^^^^^^^^^^^^^
Version: BadBlue Personal Edition v1.7.1 May 28, 2002
Windows 95 and NT 4
http://www.badblue.com/bb95.exe
Windows 95, ME, 2000, XP
http://www.badblue.com/bb98.exe
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
p0p t4rtz
p0pt4rtz@hotmail.com
Bit
bit@columbus.rr.com
_________________________________________________________________
Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp.
