|
Vulnerability Development
mailing list archives
TR: BadBlue v1.02 beta for Windows 98, ME and 2000 .php Source Code Disclosure Vulnerability
From: "acz [iSecureLabs]" <aurelien.cabezon () iSecureLabs com>
Date: Wed, 22 Aug 2001 13:57:51 +0200
Here is the answer from the BadBlue Team :
Thanks for the update. A fix will be included in the 1.5 version due within
the next week.
Thanks Dave
---
Cabezon Aurelien | aurelien.cabezon () iSecureLabs com
http://www.iSecureLabs.com | French Security Portal
-----Message d'origine-----
On Wed, 22 Aug 2001 11:11:28
acz [iSecureLabs] wrote:
-- [ iSecureLabs BadBlue v1.02 beta for Windows 98, ME and 2000
Advisory ] --
BadBlue v1.02 beta for Windows 98, ME and 2000 .php Source Code Disclosure
Vulnerability
Problem discovered: 22/08/2001
-- [ Overview ] --
BadBlue http://badblue.com/ is a tiny, free download that lets you share
files, search other
PCs and even run powerful web applications.
Badblue support .php extension.
It is possible to retrieve full .php source code.
-- [ Description ] --
Badblue contains an input validation vulnerability which may lead to
download the full source code of .php pages.
This is due to a lack of checks for NULL bytes.
Exemple:
http://myBadBlue.com/test.php%00
Note: It is possible too to download .dll file used by BadBlue.
Exmeple:
http://myBadBlue.com/ext.dll%00
-- [ Tested Version ] --
BadBlue v1.02 beta for Windows 98, ME and 2000
-- [ Discovered by ] --
Cabezon Aurelien | aurelien.cabezon () iSecureLabs com
http://www.iSecureLabs.com | French Security portal
http://www.isecurelabs.com/advisory/badblue.html
Get 250 color business cards for FREE!
http://businesscards.lycos.com/vp/fastpath/
 By Date 
By Thread
Current thread:
- TR: BadBlue v1.02 beta for Windows 98, ME and 2000 .php Source Code Disclosure Vulnerability acz [iSecureLabs] (Aug 22)
|
Intro
