https://www.exploit-db.com/exploits/22620
https://www.securityfocus.com/bid/87152
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200306-040

从BadBlue1.7到2.2版本，和可能之前版本的ISAPIextension执行安全检查后修改文件扩展名首两个字母。远程攻击者借助具有.ats扩展名而不是.hts扩展名绕过认证。

source: http://www.securityfocus.com/bid/7638/info

BadBlue is prone to a vulnerability that could allow remote attackers to gain unauthorized access to administrative functions.

It is possible to bypass BadBlue security checks when '.hts' files are requested by a remote user. BadBlue restricts access to non-HTML files by replacing the first two letters in the file extension of a requested resource with 'ht'. If the third character of a file extension is 's', then it is possible to trick BadBlue into serving a non-HTML file with an extension of '.hts'. This will bypass other security checks which would normally prevent BadBlue from serving these files to remote users.

http://www.example.com/ext.dll?mfcisapicommand=loadpage&page=admin.ats&a0=add&a1=root&a2=%5C

This example will reveal the contents of the server's primary volume.

Working Resources Inc. BadBlue 2.2

来源:VULNWATCH
名称:20030520BadBlueRemoteAdministrativeInterfaceAccessVulnerability
链接:http://archives.neohapsis.com/archives/vulnwatch/2003-q2/0075.html
来源:BUGTRAQ
名称:20030520BadBlueRemoteAdministrativeInterfaceAccessVulnerability
链接:http://marc.theaimsgroup.com/?l=bugtraq&m;=105346382524169&w;=2