BadBlue web server version 2.4 has a local path disclosure vulnerability in phptest.php.
61526ad7e90d57897a735b25cd5b3a4fed70406fc831efc5ad1c0098950b1c52~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Software: BadBlue
Vendor: http://www.BadBlue.com
Versions: 2.4
Platforms: Windows
Bug: Local Path Disclosure By phptest.php
Risk: Low
Exploitation: Remote with browser
Date: 22 Jan 2004
Author: Rafel Ivgi, The-Insider
e-mail: the_insider@mail.com
web: http://theinsider.deep-ice.com
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
1) Introduction
2) Bug
3) The Code
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
===============
1) Introduction
===============
BadBlue Edition is the first practical collaboration server
for businesses of any size... its powerful Office file sharing
works over the web: remote users only need browsers to view
files (even Word, Excel and Access). Full-text search is also
supported. Search, share, transfer files securely with colleagues.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
======
2) Bug
======
Upon reffering to http://<host>/phptest.php the source code
of the html contains the local path of the server on the machine.
"If you would like to edit or examine this file to see how it
works, open the file <font color=blue>phptest.php</font> in the
BadBlue installation folder (usually this is
<font color=#888888>c:\program files\badblue\pe\phptest.php</font>)."
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
===========
3) The Code
===========
http://<host>/phptest.php
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
---
Rafel Ivgi, The-Insider
http://theinsider.deep-ice.com
"Things that are unlikeable, are NOT impossible."
© 2024 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed