versions affected: bb14h2 (current) and older exploit: bbd listens for incoming connections on port 1984. Using telnet or the bb client, it is possible to connect and create a filename with an arbitrary extension, as the extension is not rigorously checked. As this file is droped into a directory accessible via the web server, any file extension that is parsed server side can be abused. For example: ./bb 1.2.3.4 "status evil.php3 " will allow viewing of the /etc/passwd upon browsing to http://1.2.3.4/bb/logs/evil.php3. solutions: -Modify bbd.c to only allowed specified file extensions(.disk, .proc ...) -Implement access restrictions via $BBHOME/etc/security to minimize exposure to vulnerabilities. Unfortunately, the default install doesn't enable the security file. __________________________________________________ Do You Yahoo!? Get Yahoo! Mail – Free email you can access from anywhere! http://mail.yahoo.com/