| VID |
21022 |
| Severity |
30 |
| Port |
80, ... |
| Protocol |
TCP |
| Class |
CGI |
| Detailed Description |
The '/cgi-bin/bb-hist.sh' CGI is installed. This file is the history viewer component of Big Brother Unix-based distributed network monitoring package that allows network administrators to view the status of networks and machines from a Web browser. It has been reported two types of vulnerabilities by now.
1. Big Brother versions 1.09b and 1.09c could allow a remote attacker to view portions of arbitrary text files on the server.
2. Big Brother versions 1.5d2 and earlier could allow a remote attacker to verify if sensitive files exist on the server and obtain usernames of valid users. Error messages displayed by Big Brother reveal valid usernames and the existence of sensitive files. An attacker can use the usernames to perform a brute force password cracking attempts.
Sensitive information is included in error messages resulting from invalid requests to the following files:
- bb-hist.sh
- bb-histlog.sh
- bb-hostsvc.sh
- bb-rep.sh
- bb-replog.sh
- bb-ack.sh |
| Recommendation |
Upgrade to the latest version of Big Brother (1.5d3 or later), available from the Big Brother System and Network Monitor Web site (http://www.bb4.com/download.html). |
| Related URL |
CVE-2000-1177 (CVE) |
| Related URL |
2869 (SecurityFocus) |
| Related URL |
3755 (ISS) |
|
