Syhunt: HFS (HTTP File Server) Log Arbitrary File/Directory Manipulation and Denial-of-Service Vulnerabilities

Advisory-ID: 200801162
Discovery Date: 1.16.2008
Release Date: 1.23.2008
Affected Applications: HFS 2.2 to and including 2.3(Beta Build #174)
Non-Affected Applications: HFS 2.1d and earlier versions
Class: Arbitrary File/Directory Manipulation, Denial of Service
Status: Patch available/Vendor informed
Vendor: Massimo Melina
Vendor URL: -or-

The Common Vulnerabilities and Exposures (CVE) project has assigned the following CVEs to these vulnerabilities:

  • CVE-2008-0405 - Arbitrary File/Folder Creation Vulnerability
  • CVE-2008-0406 - Denial of Service (DoS) Vulnerability

Overview: HFS is a very popular open source HTTP server designed for easily sharing files. According to information on the official website, the HTTP File Server software has been downloaded about 2 million times.

Description: HFS (versions 2.2 to 2.3 beta) will not check if an account name provided during navigation exists or contains any invalid chars before logging information about a request. This is specially dangerous if the server has been configured to use account names as log filenames.

In this case, a remote attacker can use this flaw to create arbitrary files, append data to arbitrary files, create arbitrary folders or launch a DoS attack against the server. Technical details are included below.

Details (Replicating the issues):
1) Arbitrary File/Directory Manipulation Vulnerability
See the mkd and manipf commands

Example 1 - Arbitrary Directory Creation:
If HFS is running (for e.g.) in the C:\HFS directory, you can create the C:\Syhunt\ directory by entering:
mkd ..\Syhunt

Example 2 - Arbitrary File Creation/Manipulation:
manipf [localfilename] [remotefilename]
manipf inject.html ..\Syhunt\index.html

This example would create the file C:\Syhunt\index.html and append the content of the file inject.html to it.

2) Denial of Service (DoS) Vulnerability
checkdos command

  • HFS will close immediately after receiving the DoS request
  • This issue is related to Windows limitations with long

filenames. XP has a limit of 255 characters; Windows Vista a 260 chars limit.

Vulnerability Status: The vendor was contacted and has immediately released HFS 2.2c which fixes these problems. The new version can be downloaded at or via the "Check for news/updates" option in the HFS menu.

As a workaround for the affected releases, users can temporarily disable the logging feature or remove the symbol from the log filename.

Testers of HFS 2.3 Beta should upgrade to the latest 2.3 beta build.

HFS 2.3 Beta specifically is only affected if the option "Accept any login for unprotected resources" is enabled. This option, introduced in this version, is disabled by default.

Felipe Aragon and Alec Storm
Syhunt Security Research Team,

Copyright © 2008 Syhunt Security

Disclaimer: The information in this advisory is provided "as is" without warranty of any kind. Details provided are strictly for educational and defensive purposes.

Syhunt is not liable for any damages caused by direct or indirect use of the information provided by this advisory.