Matt Murphy

Name of the Vulnerable Software and Affected Versions: BadBlue versions 1.7 through 2.2 Description: The issue allows remote attackers to bypass authentication by manipulating filename extensions. This is achieved by exploiting the ISAPI extension's behavior of modifying the first two letters of a filename extension after performing a security check. For example, using a filename with a `.ats` extension instead of a `.hts` extension can bypass the security measures. Recommendations: For BadBlue versions 1.7 through 2.2, consider restricting access to sensitive files and directories to minimize the risk of exploitation until a proper fix is applied. As a temporary workaround, avoid using the `.ats` extension for sensitive files.

Name of the Vulnerable Software and Affected Versions: eServ versions 2.9x Description: A memory leak in the software allows remote attackers to cause a denial of service, specifically memory exhaustion, by establishing a large number of connections. The memory allocated for these connections is not freed when the connections are terminated. Recommendations: For eServ versions 2.9x, at the moment, there is no information about a newer version that contains a fix for this vulnerability.