Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
|
|
|
|
|
|
|
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
|
|
|
|
Become a Partner and License Our Database or Notification Service
|
|
|
|
|
|
|
|
|
|
|
|
|
|
BadBlue Server Flaws Disclose System Information, Including Database Passwords, to Remote Users and Also Allow Cross-Site Scripting Attacks
|
|
SecurityTracker Alert ID: 1005693 |
|
CVE Reference: GENERIC-MAP-NOMATCH
(Links to External Site)
|
Date: Nov 24 2002
|
Impact: Disclosure of authentication information, Disclosure of system information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information, User access via network
|
Exploit Included: Yes
|
Description: Several vulnerabilities were reported in the BadBlue server. A remote user can conduct cross-site scripting attacks against BadBlue users. A remote user can also obtain system information, potentially including database passwords.
It is reported that the 'soinfo.php' script (if PHP is enabled) will disclose server information to remote users. This may include
ODBC database passwords.
It is also reported that the Search page 'ext.dll' contains another input validation vulnerability.
A remote user can create a specially crafted URL that, when loaded by a target user, will cause arbitrary scripting code to be
executed by the target user's browser. The code will originate from the site running BadBlue and will run in the security context
of that site. As a result, the code will be able to access the target user's cookies (including authentication cookies), if any,
associated with the site, access data recently submitted by the target user via web form to the site, or take actions on the site
acting as the target user.
A demonstration exploit search string is provided:
');alert(document.cookie);//
')" style="left:expression(eval('alert(document.cookie)'
))">
|
Impact: A remote user can view potentially sensitive system information, potentially including database passwords.
A remote user can access
the target user's cookies (including authentication cookies), if any, associated with the site running BadBlue, access data recently
submitted by the target user via web form to the site, or take actions on the site acting as the target user
|
Solution: No solution was available at the time of this entry.
|
Vendor URL: www.badblue.com/ (Links to External Site)
|
Cause: Access control error, Input validation error
|
Underlying OS: Windows (Any)
|
Reported By: "Matthew Murphy" <mattmurphy@kc.rr.com>
|
Message History:
None.
|
Source Message Contents
|
Date: Sun, 24 Nov 2002 12:37:23 -0600
From: "Matthew Murphy" <mattmurphy@kc.rr.com>
Subject: [Full-Disclosure] BadBlue XSS/Information Disclosure Vulnerabilities
|
BadBlue is a P2P/Web server offered for Microsoft Windows operating systems
by Working Resources. It has a bad security record -- file disclosure,
remote administration, denials of service, buffer overflows, directory
traversals, and more cross-site scripting flaws than I care to count. We
can add information disclosure to that list, and add a new XSS hole to the
count.
* soinfo.php - Massive Information Leak
If running with PHP enabled, the BadBlue server's default soinfo.php script
can be made to cough up substantial amounts of information, including ODBC
passwords:
-- soinfo.php --
<?php
phpinfo();
?>
-- soinfo.php --
Yielding this data to an attacker, in combination with access to the
database allows for a compromise of the database.
* Cross-Site Scripting in ext.dll Search Page -- Again
I've discovered another flaw in BadBlue's search engine allowing for
cross-site scripting:
');alert(document.cookie);//
')" style="left:expression(eval('alert(document.cookie)'))">
Either of these two queries will execute the alert(document.cookie) command.
You get the idea. :-)
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
|
|
Go to the Top of This SecurityTracker Archive Page
|
