BB4 Big Brother Network Monitor 1.5 d2 - bb-hist.sh?HISTFILE File Existence Disclosure

2000-11-20T00:00:00
ID EXPLOITPACK:3E8E8C206750DE39C55898C1596E3038
Type exploitpack
Reporter f8 Research Labs
Modified 2000-11-20T00:00:00

Description

BB4 Big Brother Network Monitor 1.5 d2 - bb-hist.sh?HISTFILE File Existence Disclosure

                                        
                                            source : https://www.securityfocus.com/bid/1971/info

Big Brother Network Monitor is a robust, feature rich network monitoring package produced by BB4 Technologies. A problem exists that can allow remote account guessing.

The problem occurs in the Common Gateway Interface package included with Big Brother, which runs on the Big Brother Display Server. The CGI is responsible for statistical posting of network operations on the Big Brother Display Server, an interface which is accessible via Web Browser. Due to insufficient handling of input, it is possible to verify the existance of sensitive files and valid user accounts through the the CGI of the Display Server. Yielding this information to a malicious user could result in a targeted brute force password cracking attack.

The following files are affected by this flaw:

bb-hist.sh
bb-histlog.sh
bb-hostsvc.sh 
bb-rep.sh 
bb-replog.sh 
bb-ack.sh

http://www.victim.com/cgi-bin/bb-hist.sh?HISTFILE=/home/*