TR: BadBlue v1.02 beta for Windows 98, ME and 2000 .php Source Code Disclosure Vulnerability

From: acz [iSecureLabs] (aurelien.cabezonat_private)
Date: Wed Aug 22 2001 - 04:57:51 PDT

  • Next message: Thorat_private: "Re: Cell phone access to email"

    Here is the answer from the BadBlue Team :
    
    Thanks for the update.  A fix will be included in the 1.5 version due within
    the next week.
    Thanks Dave
    
    ---
    Cabezon Aurelien | aurelien.cabezonat_private
    http://www.iSecureLabs.com | French Security Portal
    
    
    -----Message d'origine-----
    
    On Wed, 22 Aug 2001 11:11:28
     acz [iSecureLabs] wrote:
    >-- [ iSecureLabs BadBlue v1.02 beta for Windows 98, ME and 2000
    >Advisory ] --
    >
    >BadBlue v1.02 beta for Windows 98, ME and 2000 .php Source Code Disclosure
    >Vulnerability
    >Problem discovered: 22/08/2001
    >
    >-- [ Overview ] --
    >
    >BadBlue http://badblue.com/ is a tiny, free download that lets you share
    >files, search other
    >PCs and even run powerful web applications.
    >Badblue support .php extension.
    >It is possible to retrieve full .php source code.
    >
    >-- [ Description ] --
    >
    >Badblue contains an input validation vulnerability which may lead to
    >download the full source code of .php pages.
    >This is due to a lack of checks for NULL bytes.
    >
    >Exemple:
    >http://myBadBlue.com/test.php%00
    >
    >Note: It is possible too to download .dll file used by BadBlue.
    >
    >Exmeple:
    >http://myBadBlue.com/ext.dll%00
    >
    >-- [ Tested Version ] --
    >
    >BadBlue v1.02 beta for Windows 98, ME and 2000
    >
    >-- [ Discovered by ] --
    >
    >Cabezon Aurelien | aurelien.cabezonat_private
    >http://www.iSecureLabs.com | French Security portal
    >http://www.isecurelabs.com/advisory/badblue.html
    >
    >
    >
    >
    
    
    Get 250 color business cards for FREE!
    http://businesscards.lycos.com/vp/fastpath/
    



    This archive was generated by hypermail 2b30 : Wed Aug 22 2001 - 08:12:04 PDT