Vulnerabilities > CVE-2003-0332 - Unspecified vulnerability in Working Resources Inc. Badblue

047910
CVSS 0.0 - NONE
Attack vector
UNKNOWN
Attack complexity
UNKNOWN
Privileges required
UNKNOWN
Confidentiality impact
UNKNOWN
Integrity impact
UNKNOWN
Availability impact
UNKNOWN
working-resources-inc
nessus
exploit available
NVD
Published: 2003-06-09
Updated: 2024-11-20

Summary

The ISAPI extension in BadBlue 1.7 through 2.2, and possibly earlier versions, modifies the first two letters of a filename extension after performing a security check, which allows remote attackers to bypass authentication via a filename with a .ats extension instead of a .hts extension.

Vulnerable Configurations

Part Description Count
Application
Working_Resources_Inc.
1

Exploit-Db

descriptionWorking Resources BadBlue 1.7.x/2.x Unauthorized HTS Access Vulnerability. CVE-2003-0332. Remote exploit for windows platform
idEDB-ID:22620
last seen2016-02-02
modified2003-05-20
published2003-05-20
reportermattmurphy
sourcehttps://www.exploit-db.com/download/22620/
titleWorking Resources BadBlue 1.7.x/2.x Unauthorized HTS Access Vulnerability

Nessus

NASL familyWeb Servers
NASL idBADBLUE_REMOTE_ADMINISTRATIVE_ACCESS.NASL
descriptionThe remote host is running the BadBlue web server earlier than 2.2. Such versions are reportedly affected by an authentication bypass vulnerability. It is possible for an attacker to gain administrative access using a filename with a .ats extension instead of a .hts extension.
last seen2020-06-01
modified2020-06-02
plugin id11554
published2003-04-27
reporterThis script is Copyright (C) 2003-2018 Tenable Network Security, Inc.
sourcehttps://www.tenable.com/plugins/nessus/11554
titleBadBlue ISAPI Extension .hts Crafted File Extension Request Authentication Bypass
code
#
# (C) Tenable Network Security, Inc.
#

# Ref:
#  From: "Matthew Murphy" <[email protected]>
#  To: "BugTraq" <[email protected]>
#  Subject: BadBlue Remote Administrative Access Vulnerability
#  Date: Sun, 20 Apr 2003 16:28:18 -0500


include("compat.inc");

if(description)
{
 script_id(11554);
 script_version ("1.17");
 script_cve_id("CVE-2003-0332");
 script_bugtraq_id(7387);

 script_name(english:"BadBlue ISAPI Extension .hts Crafted File Extension Request Authentication Bypass");
 script_summary(english:"Get the version of the remote BadBlue server");

 script_set_attribute(attribute:"synopsis", value:
"The remote web server is affected by an authentication bypass
vulnerability." );
 script_set_attribute(attribute:"description", value:
"The remote host is running the BadBlue web server earlier than 2.2.
Such versions are reportedly affected by an authentication bypass
vulnerability. It is possible for an attacker to gain administrative
access using a filename with a .ats extension instead of a .hts
extension." );
 script_set_attribute(attribute:"see_also", value:"https://seclists.org/vulnwatch/2003/q2/77" );
 script_set_attribute(attribute:"solution", value:
"Upgrade to BadBlue v 2.2 or newer as this reportedly fixes the issue." );
 script_set_cvss_base_vector("CVSS2#AV:N/AC:H/Au:N/C:C/I:C/A:C");
 script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
 script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
 script_set_attribute(attribute:"exploit_available", value:"true");
 script_set_attribute(attribute:"metasploit_name", value:'BadBlue 2.5 EXT.dll Buffer Overflow');
 script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");

 script_set_attribute(attribute:"plugin_publication_date", value: "2003/04/27");
 script_set_attribute(attribute:"vuln_publication_date", value: "2003/05/20");
 script_cvs_date("Date: 2018/11/15 20:50:25");
script_set_attribute(attribute:"plugin_type", value:"remote");
script_end_attributes();

 script_category(ACT_ATTACK);
 script_copyright(english:"This script is Copyright (C) 2003-2018 Tenable Network Security, Inc.");
 script_family(english:"Web Servers");
 script_require_ports("Services/www", 80);
 script_dependencies("find_service1.nasl", "http_version.nasl");
 exit(0);
}

include("global_settings.inc");
include("misc_func.inc");
include("http.inc");

port = get_http_port(default:80);

banner = get_http_banner(port:port);
if(!banner)exit(0);

# Technically speaking, version 2.16 is not vulnerable. However since we could
# not test it, we advise everyone to update to 2.2
vulnerable = egrep(pattern:"^Server: BadBlue/(1\.|2\.[0-1])", string:banner);
if(vulnerable)security_hole(port);

References