|
Vulnerability Big Brother Affected All installed BB CGI scripts prior to v1.5d3 Description Loki found following. Big Brother is designed to let anyone - from omniscient Sys Admins, to Pointy-Headed Bosses, see how the network is doing in near real-time, from any web browser, anywhere. Vulnerabilities exists such that someone can identify if sensitive files exists and determine user ids on the BBDISPLAY server(s) and use those to launch a password brute-force attack. e.g. http://www.victim.com/cgi-bin/bb-hist.sh?HISTFILE=/home/* Utilizing this information, we are able to then validate not only if sensitive files exist on the system, but also, valid user accounts for a further brute-force attack on the system. Solution Patch details: http://bb4.com/incident.nov21