Syhunt: HFS (HTTP File Server) Log Arbitrary File/Directory Manipulation and Denial-of-Service Vulnerabilities Advisory-ID: 200801162 Discovery Date: 1.16.2008 Release Date: 1.23.2008 Affected Applications: HFS 2.2 to and including 2.3(Beta Build #174) Non-Affected Applications: HFS 2.1d and earlier versions Class: Arbitrary File/Directory Manipulation, Denial of Service Status: Patch available/Vendor informed Vendor: Massimo Melina Vendor URL: http://www.rejetto.com/hfs -or- hfs.sourceforge.net The Common Vulnerabilities and Exposures (CVE) project has assigned the following CVEs to these vulnerabilities: * CVE-2008-0405 - Arbitrary File/Folder Creation Vulnerability * CVE-2008-0406 - Denial of Service (DoS) Vulnerability ---------------------------------------------------------------- Overview: HFS is a very popular open source HTTP server designed for easily sharing files. According to information on the official website, the HTTP File Server software has been downloaded about 2 million times. Description: HFS (versions 2.2 to 2.3 beta) will not check if an account name provided during navigation exists or contains any invalid chars before logging information about a request. This is specially dangerous if the server has been configured to use account names as log filenames. In this case, a remote attacker can use this flaw to create arbitrary files, append data to arbitrary files, create arbitrary folders or launch a DoS attack against the server. Technical details are included below. ---------------------------------------------------------------- Details (Replicating the issues): 1) Arbitrary File/Directory Manipulation Vulnerability http://www.syhunt.com/advisories/hfshack.txt See the "mkd" and "manipf" commands Example 1 - Arbitrary Directory Creation: If HFS is running (for e.g.) in the C:\HFS directory, you can create the C:\Syhunt\ directory by entering: mkd ..\Syhunt Example 2 - Arbitrary File Creation/Manipulation: manipf [localfilename] [remotefilename] manipf inject.html ..\Syhunt\index.html This example would create the file "C:\Syhunt\index.html" and append the content of the file "inject.html" to it. 2) Denial of Service (DoS) Vulnerability http://www.syhunt.com/advisories/hfshack.txt "checkdos" command * HFS will close immediately after receiving the DoS request * This issue is related to Windows limitations with long filenames. XP has a limit of 255 characters; Windows Vista a 260 chars limit. ---------------------------------------------------------------- Vulnerability Status: The vendor was contacted and has immediately released HFS 2.2c which fixes these problems. The new version can be downloaded at www.rejetto.com/hfs/download or via the "Check for news/updates" option in the HFS menu. As a workaround for the affected releases, users can temporarily disable the logging feature or remove the %user% symbol from the log filename. Testers of HFS 2.3 Beta should upgrade to the latest 2.3 beta build. HFS 2.3 Beta specifically is only affected if the option "Accept any login for unprotected resources" is enabled. This option, introduced in this version, is disabled by default. ---------------------------------------------------------------- Credit: Felipe Aragon and Alec Storm Syhunt Security Research Team, www.syhunt.com --- Copyright ? 2008 Syhunt Security Disclaimer: The information in this advisory is provided "as is" without warranty of any kind. Details provided are strictly for educational and defensive purposes. Syhunt is not liable for any damages caused by direct or indirect use of the information provided by this advisory.