Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

BadBlue Web Server Ext.dll Vulnerabilities

From: SNS Research <vuln-dev () greyhack com>
Date: Sat, 17 Feb 2001 10:18:12 +0100
Strumpf Noir Society Advisories
! Public release !
<--#


-= BadBlue Web Server Ext.dll Vulnerabilities =-

Release date: Saturday, February 17, 2001


Introduction:

BadBlue is a (MS Windows-based) web server intended for a wide range of
applications, from providing file sharing possibilities to an
application development and deployment environment. It includes
full-featured support of tools like CGI, ISAPI and PHP.

BadBlue can be found on at vendor Working Resources Inc.'s website:
http://www.badblue.com


Problem:

The BadBlue web server serves files through a library called ext.dll.
A typical request to the server would be build up through a request to
this file together with a string containing the actual command data like
so: http://127.0.0.1/ext.dll?mfcisapicommand=loadpage&page=default.hts

Some ways have been found to manipulate the server by playing with this
string. By omitting the data following ext.dll in above mentioned
request, the server will return an error which discloses information
regarding the path where it is running on the machine. What's more, by
substituting this data for a string of 284 bytes or more, the BadBlue
web server will die.


Directory disclosure example:

http://server/ext.dll

will result in:

[Error: opening c:\program files\badblue\pe\default.htx (2)]


Denial-of-service example:

http://server/ext.dll?aaaaa(x 248 bytes)

will cause the server to die.


(..)


Solution:

Working Resources Inc. has made BadBlue version 1.02.8 availble from its
website, which adresses these problems.

This was tested against BadBlue 1.02.07 Personal Edition. After
contacting the vendor it is our understanding that the other members of
the BadBlue product suite are based on the same code base and are
vulnerable as well. Users are encouraged to upgrade.


yadayadayada

Free sk8! (http://www.freesk8.org)

SNS Research is rfpolicy (http://www.wiretrip.net/rfp/policy.html)
compliant, all information is provided on AS IS basis.

EOF, but Strumpf Noir Society will return!
Previous By Date Next
Previous By Thread Next

Current thread: