Reported May 20, 2003, by Matt Murphy.
BadBlue Web Based File Sharing Program, Personal Edition 1.7 through 2.2
A vulnerability in BadBlue Web Based File Sharing Program Personal Edition 1.7 through 2.2 can let an attacker gain full administrative control over the vulnerable system. This vulnerability is partially the result of the software performing two security checks (i.e., binary replacement of the first two characters in the requested file extension and the requirement that requests to access .hts files are submitted by 127.0.0.1 and contain a proper 'Referer' header) in an incorrect order.
The discoverer posted the following code as proof of concept:
An example of this exploit is as follows:
This adds '/root' as '\', revealing the server's primary volume. An attacker can then traverse the volume with the directory indexing feature of the server.
Discovered by Matt Murphy.