Hi Matthew, [...] > Then an attack would be conducted that would add the "hd" virtual root and > point it to C:\. > > This occurs because, even though the page content originated elsewhere, > the request to submit the form originated from the client sitting on the > BadBlue > machine. > > http://localhost/hd/winnt/system32/cmd.exe?/c+echo+hello > > This will display "hello" to a console window if running BadBlue EE on WinNT > after this exploit. > > http://localhost/hd/winnt/win.ini > http://localhost/hd/windows/win.ini > > Have a look at your Win.ini from the web... :-D Correct me if I'm wrong here, but what I'm reading this as is: 1) A page with a form POST method on a remote server is visited by a user on a system running the vulnerable BadBlue server software. 2) The form POST method executes the code previously mentioned, and adds a link that makes it possible for the user of the local system to view the contents of the drive through BadBlue. In this, it's possible for a local user to view the contents of files added to the BadBlue server with he privileges of the BadBlue server process. Question: Does this allow users to remotely view files via BadBlue as well? Cheers, ellipse
