Reported May 20, 2003, by Matt Murphy.

 

 

VERSIONS AFFECTED

 

  • BadBlue Web Based File Sharing Program, Personal Edition 1.7 through 2.2

 

DESCRIPTION

 

A vulnerability in BadBlue Web Based File Sharing Program Personal Edition 1.7 through 2.2 can let an attacker gain full administrative control over the vulnerable system. This vulnerability is partially the result of the software performing two security checks (i.e., binary replacement of the first two characters in the requested file extension and the requirement that requests to access .hts files are submitted by 127.0.0.1 and contain a proper 'Referer' header) in an incorrect order.

 

DEMONSTRATION

 

The discoverer posted the following code as proof of concept:

 

An example of this exploit is as follows:

 

http://localhost/ext.dll?mfcisapicommand=loadpage&page=admin.ats&a0=add&a1=root&a2=%5C

 

This adds '/root' as '\', revealing the server's primary volume. An attacker can then traverse the volume with the directory indexing feature of the server.

 

VENDOR RESPONSE

 

BadBlue has released version 2.3, which isn't vulnerable to this condition.

 

CREDIT

Discovered by Matt Murphy.