| VID |
22330 |
| Severity |
30 |
| Port |
80, ... |
| Protocol |
TCP |
| Class |
WWW |
| Detailed Description |
The BadBlue server, according to its banner, has an unauthorized HTS access vulnerability. BadBlue is a P2P file sharing Web server distributed by Working Resources for Microsoft Windows operating systems. BadBlue versions 2.2 and earlier could allow a remote attacker to bypass BadBlue security checks when '.hts' files are requested. BadBlue restricts access to non-HTML files by replacing the first two letters in the file extension of a requested resource with 'ht'. If the third character of a file extension is 's', then it is possible to trick BadBlue into serving a non-HTML file with an extension of '.hts'. This will bypass other security checks which would normally prevent BadBlue from serving these files to remote users.
* Note: This check solely relied on the banner of the remote HTTP server to assess this vulnerability, so this might be a false positive.
* References:
http://archives.neohapsis.com/archives/bugtraq/2003-05/0220.html
* Platforms Affected:
Working Resources Inc., BadBlue Enterprise Edition 2.2 and earlier
Working Resources Inc., BadBlue Personal Edition 2.2 and earlier
Microsoft Windows Any version |
| Recommendation |
Upgrade to the latest version of BadBlue (2.3 or later), available from the BadBlue Download Web site at http://www.badblue.com/down.htm |
| Related URL |
CVE-2003-0332 (CVE) |
| Related URL |
7638 (SecurityFocus) |
| Related URL |
12034 (ISS) |
|
