BadBlue server stores passwords in plaintext in the ext.ini file, which could allow local and possibly remote attackers to gain privileges.
http://www.iss.net/security_center/static/9558.php
http://archives.neohapsis.com/archives/bugtraq/2002-07/0143.html