Syhunt: HFS (HTTP File Server) Username Spoofing and Log
Forging/Injection Vulnerability

Advisory-ID: 200801163
Discovery Date: 1.16.2008
Release Date: 1.23.2008
Affected Applications: HFS 1.5g to and including 2.3(Beta Build
#174); and possibly HFS version 1.5f
Non-Affected Applications: HFS 1.5e and earlier versions
Class: Log Forging/Injection, Username Spoofing
Status: Patch available/Vendor informed
Vendor: Massimo Melina
Vendor URL: http://www.rejetto.com/hfs -or- hfs.sourceforge.net

The Common Vulnerabilities and Exposures (CVE) project has
assigned the following CVEs to these vulnerabilities:
* CVE-2008-0407 - Username Spoofing Vulnerability
* CVE-2008-0408 - Log Forging / Injection Vulnerability

----------------------------------------------------------------

Overview:
HFS is a very popular open source HTTP server designed for
easily sharing files. According to information on the official
website, the HTTP File Server software has been downloaded about
2 million times.

Description:
HFS versions 1.5g to 2.3 Beta (and possibly version 1.5f) are
vulnerable to log forging and username spoofing vulnerabilities.
Remote attackers can appear to be logged in with any desired
username or perform log injection in the log file and GUI panel.
Technical details are included below.

----------------------------------------------------------------

Details (Replicating the issues):
1) Log Forging / Injection Vulnerability
http://www.syhunt.com/advisories/hfshack.txt
See the "maniplog" command

maniplog [localfilename]
This will inject the content of [localfilename] to the HFS log
panel and file.

2) Username Spoofing Vulnerability
a. Login at http://[host]/~login as [user_x]. Then request
(using a web browser): http://[user_y]:[anywrongpwd]@[host]/
--or--
b. send a direct request in the following format (does not
require previous login):
GET / HTTP/1.1
(...)
Authorization: Basic dXNlcl95

Both alternatives could make an admin to believe that user Y has
made the HTTP request when reviewing logs.

Additional Considerations:
* Vulnerabilities described here will not allow browsing
protected files and folders.

----------------------------------------------------------------

Vulnerability Status:
The author was contacted and HFS version 2.2c was released. The
new version can be downloaded at www.rejetto.com/hfs/download or
via the "Check for news/updates" option in the HFS menu.

Testers of HFS 2.3 Beta should upgrade to the latest 2.3 beta
build.

HFS 2.3 Beta is only affected if the option "Accept any login
for unprotected resources" is enabled. This option, introduced
in this version, is disabled by default.

----------------------------------------------------------------

Credit:
Felipe Aragon and Alec Storm
Syhunt Security Research Team, www.syhunt.com

---

Copyright © 2008 Syhunt Security

Disclaimer:
The information in this advisory is provided "as is" without
warranty of any kind. Details provided are strictly for
educational and defensive purposes.

Syhunt is not liable for any damages caused by direct or
indirect use of the information provided by this advisory.