[原文]The default configuration of Big Brother 1.4h2 and earlier does not include proper access restrictions, which allows remote attackers to execute arbitrary commands by using bbd to upload a file whose extension will cause it to be executed as a CGI script by the web server.
A vulnerability in Big Brother exists which would allow a user to remotely create CGI scripts which could be requested from the Web Server. These could be used to read files and possibly execute commands on the web server machine.
./bb 18.104.22.168 "status evil.php3 <?<system(\"cat /etc/passwd\");?>"
will allow viewing of the /etc/passwd upon browsing to http://22.214.171.124/bb/logs/evil.php3.
Sean MacGuire (Quest Software) Big Brother 1.4 H and below allow remote users to create files on the remote host with any file extension, within the web root. This could allow an attacker to create malicious files which will be executed when accessed through a web browser. This could lead to complete system compromise.
Upgrade to a version of Big Brother newer than 1.4 H or restrict access to authorized users by enabling the $BBHOME/etc/security file.