Discovery Date: 1.16.2008
Release Date: 1.23.2008
Affected Applications: HFS 1.5g to and including 2.3(Beta Build #174); and possibly HFS version 1.5f
Non-Affected Applications: HFS 1.5e and earlier versions
Class: Log Forging/Injection, Username Spoofing
Status: Patch available/Vendor informed
Vendor: Massimo Melina
Vendor URL: http://www.rejetto.com/hfs -or- hfs.sourceforge.net
The Common Vulnerabilities and Exposures (CVE) project has assigned the following CVEs to these vulnerabilities:
- CVE-2008-0407 - Username Spoofing Vulnerability
- CVE-2008-0408 - Log Forging / Injection Vulnerability
Overview: HFS is a very popular open source HTTP server designed for easily sharing files. According to information on the official website, the HTTP File Server software has been downloaded about 2 million times.
Description: HFS versions 1.5g to 2.3 Beta (and possibly version 1.5f) are vulnerable to log forging and username spoofing vulnerabilities. Remote attackers can appear to be logged in with any desired username or perform log injection in the log file and GUI panel. Technical details are included below.
Details (Replicating the issues):
1) Log Forging / Injection Vulnerability
See the maniplog command
This will inject the content of [localfilename] to the HFS log panel and file.
2) Username Spoofing Vulnerability
a. Login at
http://[host]/~login as [user_x]. Then request
(using a web browser):
b. send a direct request in the following format (does not require previous login):
GET / HTTP/1.1 (...) Authorization: Basic dXNlcl95
Both alternatives could make an admin to believe that user Y has made the HTTP request when reviewing logs.
- Vulnerabilities described here will not allow browsing
protected files and folders.
Vulnerability Status: The author was contacted and HFS version 2.2c was released. The new version can be downloaded at www.rejetto.com/hfs/download or via the "Check for news/updates" option in the HFS menu.
Testers of HFS 2.3 Beta should upgrade to the latest 2.3 beta build.
HFS 2.3 Beta is only affected if the option "Accept any login for unprotected resources" is enabled. This option, introduced in this version, is disabled by default.
Felipe Aragon and Alec Storm
Syhunt Security Research Team, www.syhunt.com
Copyright © 2008 Syhunt Security
Disclaimer: The information in this advisory is provided "as is" without warranty of any kind. Details provided are strictly for educational and defensive purposes.
Syhunt is not liable for any damages caused by direct or indirect use of the information provided by this advisory.