mailing list archives
BadBlue Yet Another Directory Traversal
From: Strumpf Noir Society <vuln-dev () labs secureance com>
Date: Tue, 26 Feb 2002 17:38:06 +0100
Strumpf Noir Society Advisories
! Public release !
-= BadBlue Yet Another Directory Traversal =-
Release date: Tuesday, February 26, 2002
BadBlue is the technology behind Working Resources Inc.'s product line with
the same name and which, amongst other things, also powers Deerfield.com's
D2Gfx file sharing community.
Working Resources Inc. : http://www.badblue.com
Deerfield's D2Gfx : http://d2gfx.deerfield.com
The BadBlue server has in the past been found vulnerable to several directory
traversal attacks. One of these was the "regular" double-dot traversal attack.
We ourselves described another one in our earlier advisory sns2k2-badblue2-adv,
entitled "BadBlue Scripting Directory Traversal Vulnerability". Working Resources
Inc. has applied fixes for both, however these can easily be circumvented.
Below described problem was identified during testing of the fix for the issue
we reported in sns2k2-badblue2-adv, which has just recently been released. In
our previous advisory we expressed the vendor's intention to solve this problem
in the next BadBlue release (not forthcoming at the time), it is however
important to note that this release (v1.6) is vulnerable to below as well.
The problem lies in the fact that the BadBlue server filters the "./"
combination out of urls to prevent the directory traversal attacks described.
In doing so however, it leaves open a window of exploitation for variations of
these characters, which are not correctly removed from input.
The problem is obvious and allows an attacker to read any file on the server.
Vendor has been notified and has released BadBlue v1.6.1 which does properly
parse requests like this.
- BadBlue Personal Edition (v1.5.6 Beta) for Win95/NT4
- BadBlue Personal Edition (v1.5.6 Beta) for Win98/2000/ME/XP
- BadBlue Enterprise Edition (v1.5.?) for Win95/NT4
- BadBlue Enterprise Edition (v1.5.?) for Win98/2000/ME/XP
- BadBlue Personal Edition (v1.6 Beta) for Win95/NT4
- BadBlue Personal Edition (v1.6 Beta) for Win98/2000/ME/XP
- BadBlue Enterprise Edition (v1.6 Beta) for Win95/NT4
- BadBlue Enterprise Edition (v1.6 Beta) for Win98/2000/ME/XP
- Deerfield D2Gfx (v1.0.2 - Effectively BadBlue v1.0.2) for
Earlier versions were already found vulnerable to mentioned "regular" directory
SNS Research is rfpolicy (http://www.wiretrip.net/rfp/policy.html)
compliant, all information is provided on AS IS basis.
EOF, but Strumpf Noir Society will return!
- BadBlue Yet Another Directory Traversal Strumpf Noir Society (Feb 26)