Vulnerabilities > CVE-2003-0332 - Security Bypass vulnerability in BadBlue

CVSS 7.6 - HIGH

Attack vector

NETWORK

Attack complexity

HIGH

Privileges required

NONE

Confidentiality impact

COMPLETE

Integrity impact

COMPLETE

Availability impact

COMPLETE

network

high complexity

working-resources-inc

nessus

exploit available

NVD

Published: 2003-06-09

Updated: 2016-10-18

Summary

The ISAPI extension in BadBlue 1.7 through 2.2, and possibly earlier versions, modifies the first two letters of a filename extension after performing a security check, which allows remote attackers to bypass authentication via a filename with a .ats extension instead of a .hts extension.

Vulnerable Configurations

Part	Description	Count
Application	Working_Resources_Inc. Working Resources Inc. Badblue *	1

Exploit-Db

description	Working Resources BadBlue 1.7.x/2.x Unauthorized HTS Access Vulnerability. CVE-2003-0332. Remote exploit for windows platform
id	EDB-ID:22620
last seen	2016-02-02
modified	2003-05-20
published	2003-05-20
reporter	mattmurphy
source	https://www.exploit-db.com/download/22620/
title	Working Resources BadBlue 1.7.x/2.x Unauthorized HTS Access Vulnerability

Nessus

NASL family	Web Servers
NASL id	BADBLUE_REMOTE_ADMINISTRATIVE_ACCESS.NASL
description	The remote host is running the BadBlue web server earlier than 2.2. Such versions are reportedly affected by an authentication bypass vulnerability. It is possible for an attacker to gain administrative access using a filename with a .ats extension instead of a .hts extension.
last seen	2020-06-01
modified	2020-06-02
plugin id	11554
published	2003-04-27
reporter	This script is Copyright (C) 2003-2018 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/11554
title	BadBlue ISAPI Extension .hts Crafted File Extension Request Authentication Bypass
code	# # (C) Tenable Network Security, Inc. # # Ref: # From: "Matthew Murphy" <[email protected]> # To: "BugTraq" <[email protected]> # Subject: BadBlue Remote Administrative Access Vulnerability # Date: Sun, 20 Apr 2003 16:28:18 -0500 include("compat.inc"); if(description) { script_id(11554); script_version ("1.17"); script_cve_id("CVE-2003-0332"); script_bugtraq_id(7387); script_name(english:"BadBlue ISAPI Extension .hts Crafted File Extension Request Authentication Bypass"); script_summary(english:"Get the version of the remote BadBlue server"); script_set_attribute(attribute:"synopsis", value: "The remote web server is affected by an authentication bypass vulnerability." ); script_set_attribute(attribute:"description", value: "The remote host is running the BadBlue web server earlier than 2.2. Such versions are reportedly affected by an authentication bypass vulnerability. It is possible for an attacker to gain administrative access using a filename with a .ats extension instead of a .hts extension." ); script_set_attribute(attribute:"see_also", value:"https://seclists.org/vulnwatch/2003/q2/77" ); script_set_attribute(attribute:"solution", value: "Upgrade to BadBlue v 2.2 or newer as this reportedly fixes the issue." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:H/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"metasploit_name", value:'BadBlue 2.5 EXT.dll Buffer Overflow'); script_set_attribute(attribute:"exploit_framework_metasploit", value:"true"); script_set_attribute(attribute:"plugin_publication_date", value: "2003/04/27"); script_set_attribute(attribute:"vuln_publication_date", value: "2003/05/20"); script_cvs_date("Date: 2018/11/15 20:50:25"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_end_attributes(); script_category(ACT_ATTACK); script_copyright(english:"This script is Copyright (C) 2003-2018 Tenable Network Security, Inc."); script_family(english:"Web Servers"); script_require_ports("Services/www", 80); script_dependencies("find_service1.nasl", "http_version.nasl"); exit(0); } include("global_settings.inc"); include("misc_func.inc"); include("http.inc"); port = get_http_port(default:80); banner = get_http_banner(port:port); if(!banner)exit(0); # Technically speaking, version 2.16 is not vulnerable. However since we could # not test it, we advise everyone to update to 2.2 vulnerable = egrep(pattern:"^Server: BadBlue/(1\.\|2\.[0-1])", string:banner); if(vulnerable)security_hole(port);

Summary

Vulnerable Configurations

Exploit-Db

Nessus

References