| VID |
22327 |
| Severity |
30 |
| Port |
80, ... |
| Protocol |
TCP |
| Class |
WWW |
| Detailed Description |
The BadBlue server is vulnerable to a directory traversal vulnerability. BadBlue is a P2P file sharing Web server distributed by Working Resources for Microsoft Windows operating systems. BadBlue Personal Edition version 1.5.6 beta and BadBlue Enterprise Edition version 1.5.x could allow a remote attacker to traverse directories on the Web server. By sending a specially-crafted request containing "dot dot" sequences (/../) as a parameter to the script used to read Microsoft Office documents to traverse directories, a remote attacker could read arbitrary files outside the Web root directory that can be opened by Microsoft Word, Access, or Excel. This vulnerability also affects Deerfield.com's D2Gfx client version 1.0.2.
* References:
http://labs.secureance.com/adv/sns2k2-badblue2-adv.txt
http://www.jianteq.net/sns/adv/sns2k2-badblue-sum.txt
* Platforms Affected:
Deerfield.com, D2Gfx 1.0.2
Working Resources Inc., BadBlue Enterprise Edition 1.5.x
Working Resources Inc., BadBlue Personal Edition 1.5.6 beta
Microsoft Windows Any version |
| Recommendation |
Upgrade to the latest version of BadBlue (2.61 or later), available from the BadBlue Download Web site at http://www.badblue.com/down.htm
As a workaround, disable BadBlue's Microsoft Office document sharing feature. |
| Related URL |
CVE-2002-1684 (CVE) |
| Related URL |
3913 (SecurityFocus) |
| Related URL |
7946 (ISS) |
|
