COMMAND

    BadBlue

SYSTEMS AFFECTED

    BadBlue v1.02 beta for Windows 98, ME and 2000

PROBLEM

    BadBlue  is  a  tiny,  free  download  that  lets you share files,
    search other PCs and even run powerful web applications.   Badblue
    support .php  extension.   It is  possible to  retrieve full  .php
    source code.

    Badblue contains an input validation vulnerability which may  lead
    to download the full source code of .php pages.  This is due to  a
    lack of checks for NULL bytes.  Exemple:

        http://myBadBlue.com/test.php%00

    It is possible too to download .dll file used by BadBlue. Exmeple:

        http://myBadBlue.com/ext.dll%00

    This has been discovered by Cabezon Aurelien.

SOLUTION

    A fix will be included in the 1.5 version.