BadBlue 1.7 allows remote malicious users to bypass password protections for directories and files via an HTTP request containing an extra / (slash).
working resources inc. badblue 1.7.0