BB4技术Big Brother目录遍历漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1105917 漏洞类型 访问验证错误
发布时间 2000-07-11 更新时间 2006-11-14
CVE编号 CVE-2000-0638 CNNVD-ID CNNVD-200007-025
漏洞平台 CGI CVSS评分 10.0
|漏洞来源
https://www.exploit-db.com/exploits/20068
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200007-025
|漏洞详情
BigBrother1.4h1版本及之前版本中bb-hostsvc.sh存在漏洞。远程攻击者可以借助对HOSTSVC参数的..(点点)攻击来读取任意文件。
|漏洞EXP
source: http://www.securityfocus.com/bid/1455/info

Versions 1.4H and prior of BB4 Big Brother are susceptible to a directory traversal vulnerability which would allow a remote user to view the contents of any directory or file on the system. Executing a GET request for:

http://target/cgi-bin/bb-hostsvc.sh?HOSTSVC=/../../directory

will display the contents of the specified directory.
|参考资料

来源:XF
名称:http-cgi-bigbrother-bbhostsvc
链接:http://xforce.iss.net/static/4879.php
来源:BID
名称:1455
链接:http://www.securityfocus.com/bid/1455
来源:bb4.com
链接:http://bb4.com/README.CHANGES
来源:BUGTRAQ
名称:20000711REMOTEEXPLOITINALLCURRENTVERSIONSOFBIGBROTHER
链接:http://archives.neohapsis.com/archives/bugtraq/2000-07/0147.html
来源:BUGTRAQ
名称:20000711BIGBROTHEREXPLOIT
链接:http://archives.neohapsis.com/archives/bugtraq/2000-07/0146.html