BadBlue Web Server v1.7.0 Directory Contents Disclosure

From: a b (p0pt4rtzat_private)
Date: Sat Jun 01 2002 - 21:33:38 PDT

Next message: awacsat_private: "Re: 2 security problem Quantum SNAP server"

Previous message: Frank Wein: "Re: wbbboard 1.1.1 registration _new_users_vulnerability_"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

BadBlue Web Server v1.7.0 Directory Contents Disclosure
Author: p0p t4rtz and Bit
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Release Date:   May 31, 2002
Class:          Input Validation Error
Remote/Local:   Remote
Object:         BadBlue v1.7.0 and below

Abstract::
^^^^^^^^^^
BadBlue is a well known small-scale web server for sharing files with remote 
users.
The server, by default, will not let a user view the contents of a 
directory. By appending the unicode variant of "%" (hex 25) it
will cause the web server to display the contents of the current directory.

Vendor Status::
^^^^^^^^^^^^^^^^^
Vendor has been contacted and has produced a fix.

Workaround::
^^^^^^^^^^^^^^
Vendor has produced a patch.

Product Fix:
^^^^^^^^^^^^^
Version: BadBlue Personal Edition v1.7.1 May 28, 2002

Windows 95 and NT 4
http://www.badblue.com/bb95.exe

Windows 95, ME, 2000, XP
http://www.badblue.com/bb98.exe
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
p0p t4rtz
p0pt4rtzat_private

Bit
bitat_private



_________________________________________________________________
Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp.

Next message: awacsat_private: "Re: 2 security problem Quantum SNAP server"
Previous message: Frank Wein: "Re: wbbboard 1.1.1 registration _new_users_vulnerability_"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Jun 03 2002 - 11:02:57 PDT