Here is the answer from the BadBlue Team : Thanks for the update. A fix will be included in the 1.5 version due within the next week. Thanks Dave --- Cabezon Aurelien | aurelien.cabezonat_private http://www.iSecureLabs.com | French Security Portal -----Message d'origine----- On Wed, 22 Aug 2001 11:11:28 acz [iSecureLabs] wrote: >-- [ iSecureLabs BadBlue v1.02 beta for Windows 98, ME and 2000 >Advisory ] -- > >BadBlue v1.02 beta for Windows 98, ME and 2000 .php Source Code Disclosure >Vulnerability >Problem discovered: 22/08/2001 > >-- [ Overview ] -- > >BadBlue http://badblue.com/ is a tiny, free download that lets you share >files, search other >PCs and even run powerful web applications. >Badblue support .php extension. >It is possible to retrieve full .php source code. > >-- [ Description ] -- > >Badblue contains an input validation vulnerability which may lead to >download the full source code of .php pages. >This is due to a lack of checks for NULL bytes. > >Exemple: >http://myBadBlue.com/test.php%00 > >Note: It is possible too to download .dll file used by BadBlue. > >Exmeple: >http://myBadBlue.com/ext.dll%00 > >-- [ Tested Version ] -- > >BadBlue v1.02 beta for Windows 98, ME and 2000 > >-- [ Discovered by ] -- > >Cabezon Aurelien | aurelien.cabezonat_private >http://www.iSecureLabs.com | French Security portal >http://www.isecurelabs.com/advisory/badblue.html > > > > Get 250 color business cards for FREE! http://businesscards.lycos.com/vp/fastpath/
This archive was generated by hypermail 2b30 : Wed Aug 22 2001 - 08:12:04 PDT