lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Tue, 24 Feb 2004 16:49:43 +0200
From: "Rafel Ivgi, The-Insider" <theinsider@....net.il>
To: "bugtraq" <bugtraq@...urityfocus.com>
Cc: "securitytracker" <bugs@...uritytracker.com>,
	"SecurITeam News" <news@...uriteam.com>
Subject: BadBlue 2.4 Local Path Disclosure By phptest.php


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Software:        BadBlue
Vendor:           http://www.BadBlue.com
Versions:        2.4
Platforms:       Windows
Bug:                Local Path Disclosure By phptest.php
Risk:                Low
Exploitation:   Remote with browser
Date:               22 Jan 2004
Author:            Rafel Ivgi, The-Insider
e-mail:             the_insider@...l.com
web:                http://theinsider.deep-ice.com

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

1) Introduction
2) Bug
3) The Code

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

===============
1) Introduction
===============

BadBlue Edition is the first practical collaboration server 
for businesses of any size... its powerful Office file sharing
works over the web: remote users only need browsers to view
files (even Word, Excel and Access). Full-text search is also
supported. Search, share, transfer files securely with colleagues. 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

======
2) Bug
======

Upon reffering to http://<host>/phptest.php the source code
of the html contains the local path of the server on the machine.

"If you would like to edit or examine this file to see how it
works, open the file <font color=blue>phptest.php</font> in the
BadBlue installation folder (usually this is
<font color=#888888>c:\program files\badblue\pe\phptest.php</font>)."

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

===========
3) The Code
===========

http://<host>/phptest.php

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

--- 
Rafel Ivgi, The-Insider
http://theinsider.deep-ice.com

"Things that are unlikeable, are NOT impossible."



Powered by blists - more mailing lists