|
|
Syhunt: HFS (HTTP File Server) Template Cross-Site Scripting and
Information Disclosure Vulnerabilities
Advisory-ID: 200801161
Discovery Date: 1.16.2008
Release Date: 1.23.2008
Affected Applications: HFS 2.0 to and including 2.3(Beta Build
#174)
Non-Affected Applications: HFS 1.6a and earlier versions
Class: Cross-Site Scripting (XSS), Information Disclosure
Status: Patch available/Vendor informed
Vendor: Massimo Melina
Vendor URL: http://www.rejetto.com/hfs -or- hfs.sourceforge.net
The Common Vulnerabilities and Exposures (CVE) project has
assigned the following CVEs to these vulnerabilities:
* CVE-2008-0409 - Cross-Site Scripting (XSS) and Host Field XSS
* CVE-2008-0410 - Information Disclosure Vulnerability
----------------------------------------------------------------
Overview:
HFS is a very popular open source HTTP server designed for
easily sharing files. According to information on the official
website, the HTTP File Server software has been downloaded about
2 million times.
Description:
When a specific URL is visited, HFS displays a non-existent
account name in the response body. This non-existent account
name can be HTML code, allowing a remote attacker to use this
to launch XSS attacks.
Because the HTML code is also recognized by the web server as a
HFS HTML template, it is also possible to inject symbols to
force HFS to reveal details about the server (eg, current HFS
server version, build, connections, timestamp, uptime, current
outbound and inbound speed, and more). Technical details are
included below.
----------------------------------------------------------------
Details (Replicating the issues):
1) Cross-Site Scripting (XSS) and Host Field XSS Vulnerabilities
Example 1 - Launching a basic XSS:
http://