Big Brother bb-hist.sh History Module Arbitrary File Read

1999-04-26T00:00:00
ID OSVDB:21
Type osvdb
Reporter Michael Smith(michael@csuite.ns.ca)
Modified 1999-04-26T00:00:00

Description

Vulnerability Description

Big Brother contains a flaw that may allow a remote attacker to view arbitrary files. The problem is that the 'bb-hist.sh' CGI script does not validate user-supplied input, which may allow a remote attacker to view arbitrary files on the system resulting in a loss of integrity.

Solution Description

Upgrade to version 1.09d or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

Short Description

Big Brother contains a flaw that may allow a remote attacker to view arbitrary files. The problem is that the 'bb-hist.sh' CGI script does not validate user-supplied input, which may allow a remote attacker to view arbitrary files on the system resulting in a loss of integrity.

Manual Testing Notes

http://[victim]/cgi-bin/bb-hist.sh?HISTFILE=../../../../../../../../../../etc/passwd

References:

Vendor URL: http://www.bb4.org/index.html Snort Signature ID: 1462 Snort Signature ID: 1531 Snort Signature ID: 1461 Snort Signature ID: 1459 Snort Signature ID: 1460 Snort Signature ID: 894 Nessus Plugin ID:10025 Mail List Post: http://archives.neohapsis.com/archives/bugtraq/1999_2/0272.html ISS X-Force ID: 3755 CVE-1999-1462 Bugtraq ID: 142