Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Web :: Adminware, Control Panels :: bb4.htm

Big Brother CGI scripts prior to v1.5d3 - Read sensistive files



Vulnerability

    Big Brother

Affected

    All installed BB CGI scripts prior to v1.5d3

Description

    Loki found  following.   Big Brother  is designed  to let anyone -
    from omniscient Sys Admins,  to Pointy-Headed Bosses, see  how the
    network  is  doing  in  near  real-time,  from  any  web  browser,
    anywhere.

    Vulnerabilities exists such that someone can identify if sensitive
    files exists  and determine  user ids  on the  BBDISPLAY server(s)
    and use those to launch a password brute-force attack.  e.g.

        http://www.victim.com/cgi-bin/bb-hist.sh?HISTFILE=/home/*

    Utilizing this information, we are able to then validate not  only
    if  sensitive  files  exist  on  the  system, but also, valid user
    accounts for a further brute-force attack on the system.

Solution

    Patch details:

        http://bb4.com/incident.nov21


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH