Syhunt: HFS (HTTP File Server) Log Arbitrary File/Directory
Manipulation and Denial-of-Service Vulnerabilities

Advisory-ID: 200801162
Discovery Date: 1.16.2008
Release Date: 1.23.2008
Affected Applications: HFS 2.2 to and including 2.3(Beta Build
#174)
Non-Affected Applications: HFS 2.1d and earlier versions
Class: Arbitrary File/Directory Manipulation, Denial of Service
Status: Patch available/Vendor informed
Vendor: Massimo Melina
Vendor URL: http://www.rejetto.com/hfs -or- hfs.sourceforge.net

The Common Vulnerabilities and Exposures (CVE) project has
assigned the following CVEs to these vulnerabilities:
* CVE-2008-0405 - Arbitrary File/Folder Creation Vulnerability
* CVE-2008-0406 - Denial of Service (DoS) Vulnerability

----------------------------------------------------------------

Overview:
HFS is a very popular open source HTTP server designed for
easily sharing files. According to information on the official
website, the HTTP File Server software has been downloaded about
2 million times.

Description:
HFS (versions 2.2 to 2.3 beta) will not check if an account name
provided during navigation exists or contains any invalid chars
before logging information about a request. This is specially
dangerous if the server has been configured to use account names
as log filenames.

In this case, a remote attacker can use this flaw to create
arbitrary files, append data to arbitrary files, create
arbitrary folders or launch a DoS attack against the server.
Technical details are included below.

----------------------------------------------------------------

Details (Replicating the issues):
1) Arbitrary File/Directory Manipulation Vulnerability
http://www.syhunt.com/advisories/hfshack.txt
See the "mkd" and "manipf" commands

Example 1 - Arbitrary Directory Creation:
If HFS is running (for e.g.) in the C:\HFS directory, you can
create the C:\Syhunt\ directory by entering:
mkd ..\Syhunt

Example 2 - Arbitrary File Creation/Manipulation:
manipf [localfilename] [remotefilename]
manipf inject.html ..\Syhunt\index.html

This example would create the file "C:\Syhunt\index.html" and
append the content of the file "inject.html" to it.

2) Denial of Service (DoS) Vulnerability
http://www.syhunt.com/advisories/hfshack.txt
"checkdos" command

* HFS will close immediately after receiving the DoS request

* This issue is related to Windows limitations with long
filenames. XP has a limit of 255 characters; Windows Vista a 260
chars limit.

----------------------------------------------------------------

Vulnerability Status:
The vendor was contacted and has immediately released HFS 2.2c
which fixes these problems. The new version can be downloaded at
www.rejetto.com/hfs/download or via the "Check for news/updates"
option in the HFS menu.

As a workaround for the affected releases, users can temporarily
disable the logging feature or remove the %user% symbol from the
log filename.

Testers of HFS 2.3 Beta should upgrade to the latest 2.3 beta
build.

HFS 2.3 Beta specifically is only affected if the option
"Accept any login for unprotected resources" is enabled. This
option, introduced in this version, is disabled by default.

----------------------------------------------------------------

Credit:
Felipe Aragon and Alec Storm
Syhunt Security Research Team, www.syhunt.com

---

Copyright © 2008 Syhunt Security

Disclaimer:
The information in this advisory is provided "as is" without
warranty of any kind. Details provided are strictly for
educational and defensive purposes.

Syhunt is not liable for any damages caused by direct or
indirect use of the information provided by this advisory.