Description
The ISAPI extension in BadBlue 1.7 through 2.2, and possibly earlier versions, modifies the first two letters of a filename extension after performing a security check, which allows remote attackers to bypass authentication via a filename with a .ats extension instead of a .hts extension.
Exploits (1)
exploitdb
WRITEUP
VERIFIED
by mattmurphy · textremotewindows
https://www.exploit-db.com/exploits/22620
References (2)
Core 2
Core References
Mailing List mailing-list
x_refsource_bugtraq
http://marc.info/?l=bugtraq&m=105346382524169&w=2
Exploit, Patch, Vendor Advisory mailing-list
x_refsource_vulnwatch
http://archives.neohapsis.com/archives/vulnwatch/2003-q2/0075.html
Scores
EPSS
0.0198
EPSS Percentile
83.7%
Details
Status
published
Products (1)
working_resources_inc./badblue
< 2.2
Published
Jun 09, 2003
Tracked Since
Feb 18, 2026