Title: Working Resources BadBlue Triple-Dot-Slash Directory Traversal Vulnerability
Severity: HIGH
Description:
Working Resources BadBlue is a webserver intended to share various resources and is developed for Microsoft Windows environments.
A problem has been discovered in BadBlue which may cause sensitive information to be disclosed to remote attackers. This problem is due to insufficient validation of input supplied via web requests.
BadBlue is prone to directory traversal attacks. It is possible for a remote attacker to submit a malicious web request containing triple-dot-slash (.../) sequences to break out of wwwroot. The attacker may browse arbitrary web-readable files on the host running the vulnerable software.
On Windows operating systems, webservers run in the SYSTEM context. A remote attacker may exploit this vulnerability to read any file on the host that will render in their web browser.
Deerfield's D2Gfx is powered by BadBlue v1.02 and should be considered vulnerable as well.
Affected Products:
- Deerfield D2Gfx 1.0.2
- Working Resources Inc. BadBlue Enterprise Edition 1.5.6 Beta
- Working Resources Inc. BadBlue Enterprise Edition 1.6.0 Beta
- Working Resources Inc. BadBlue Personal Edition 1.5.6 Beta
- Working Resources Inc. BadBlue Personal Edition 1.6.0 Beta
References:
- Working Resources Inc: BadBlue Product Homepage
Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.
