BID:9737

Working Resources BadBlue Server phptest.php Path Disclosure Vulnerability

Info

Working Resources BadBlue Server phptest.php Path Disclosure Vulnerability

Bugtraq ID:	9737
Class:	Design Error
CVE:
Remote:	Yes
Local:	No
Published:	Feb 24 2004 12:00AM
Updated:	Feb 24 2004 12:00AM
Credit:	The disclosure of this vulnerability has been credited to Rafel Ivgi, The-Insider <[email protected]>.
Vulnerable:	Working Resources Inc. BadBlue 2.40

Not Vulnerable:

Discussion

Working Resources BadBlue Server phptest.php Path Disclosure Vulnerability

It has been reported that BadBlue Server may be prone to a remote path disclosure vulnerability that may allow an attacker to disclose the installation path by issuing a request for 'phptest.php' script.

BadBlue version 2.4 has been reported to be affected by this issue, however, other versions may be vulnerable as well.

Exploit / POC

Working Resources BadBlue Server phptest.php Path Disclosure Vulnerability

No exploit is required.

The following proof of concept has been supplied:
http://www.example.com/phptest.php

Solution / Fix

Working Resources BadBlue Server phptest.php Path Disclosure Vulnerability

Solution:
Currently we are not aware of any vendor-supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: [email protected] <mailto:[email protected]>.

References

Working Resources BadBlue Server phptest.php Path Disclosure Vulnerability

References:

BadBlue Product Page (BadBlue)
BadBlue 2.4 Local Path Disclosure By phptest.php ("Rafel Ivgi, The-Insider" )