OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Tamer Sahin (ts_at_securityoffice.net)
Date: Thu Oct 24 2002 - 13:46:53 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: MD5

    - --[ BadBlue Web Server v1.7 Protected File Access Vulnerability ]--

    - --[ Type

    File Disclosure

    - --[ Release Date

    October 24, 2002

    - --[ Product / Vendor

    BadBlue is a very small footprint, Win32 web server that supports a suprisingly large
    array of features: NT-based security; application-serving via ISAPI, CGI, PHP, Perl etc.;
    CLF logging; virtual directories; directory browsing; service installation; etc.

    http://www.badblue.com

    - --[ Summary

    It is possible to construct a web request which is capable of accessing the contents
    of password protected files/folders on the BadBlue Web Server v1.7. This vulnerability
    may only be exploited to access password-protected files in sub-folders of wwwroot.

    http://host//secret/

    - --[ Tested

    Windows 2000 Sp3 / BadBlue Web Server v1.7
    Windows 98 SE / BadBlue Web Server v1.7

    - --[ Vulnerable

    BadBlue Web Server v1.7

    - --[ Disclaimer

    http://www.securityoffice.net is not responsible for the misuse or illegal use of any
    of the information and/or the software listed on this security advisory.

    - --[ Author

    Tamer Sahin
    tssecurityoffice.net
    http://www.securityoffice.net

    All our advisories can be viewed at http://www.securityoffice.net/articles/

    Please send suggestions, updates, and comments to feedbacksecurityoffice.net

    (c) 2002 SecurityOffice

    This Security Advisory may be reproduced and distributed, provided that this Security
    Advisory is not modified in any way and is attributed to SecurityOffice and provided
    that such reproduction and distribution is performed for non-commercial purposes.

    Tamer Sahin
    http://www.securityoffice.net

    -----BEGIN PGP SIGNATURE-----
    Version: 2.6

    iQEVAwUAPbhAHvpL5ibJRTtBAQGW/gf+O/ttux6syte4PvUr8LnYYxnMIkWxAaHJ
    kduAhhf5WqgaNbWs5IVZ/h+pEaLETBZzHyCNeOeJdeUjwNLTzxxIMeg750d+RQ8s
    ko9fRE4WQkSn13z7ngYDDLOPaNboOMW7Fxwn0I16a4ccV6KjUVfH3AWixdET5ioo
    w8/Hjj/zhj1cmSyQ1kOnFvywyFbje11qN/ODkEQ7xkW5uUclCTbm1WMFcVfy8sEI
    RS1+azgF1dwQ4qhPimBwxEqv+1KY6byNsxDz1oEp/DYXRTPrbVhYIaQ6oHXTddGt
    uKfzsC51xbD+6FwyQzEEqczm4Bw/7QrMy4MSY711jGJdnZbi1eKtBQ==
    =jpPj
    -----END PGP SIGNATURE-----