Syhunt: HFS (HTTP File Server) Username Spoofing and Log Forging/Injection Vulnerability Advisory-ID: 200801163 Discovery Date: 1.16.2008 Release Date: 1.23.2008 Affected Applications: HFS 1.5g to and including 2.3(Beta Build #174); and possibly HFS version 1.5f Non-Affected Applications: HFS 1.5e and earlier versions Class: Log Forging/Injection, Username Spoofing Status: Patch available/Vendor informed Vendor: Massimo Melina Vendor URL: http://www.rejetto.com/hfs -or- hfs.sourceforge.net The Common Vulnerabilities and Exposures (CVE) project has assigned the following CVEs to these vulnerabilities: * CVE-2008-0407 - Username Spoofing Vulnerability * CVE-2008-0408 - Log Forging / Injection Vulnerability ---------------------------------------------------------------- Overview: HFS is a very popular open source HTTP server designed for easily sharing files. According to information on the official website, the HTTP File Server software has been downloaded about 2 million times. Description: HFS versions 1.5g to 2.3 Beta (and possibly version 1.5f) are vulnerable to log forging and username spoofing vulnerabilities. Remote attackers can appear to be logged in with any desired username or perform log injection in the log file and GUI panel. Technical details are included below. ---------------------------------------------------------------- Details (Replicating the issues): 1) Log Forging / Injection Vulnerability http://www.syhunt.com/advisories/hfshack.txt See the "maniplog" command maniplog [localfilename] This will inject the content of [localfilename] to the HFS log panel and file. 2) Username Spoofing Vulnerability a. Login at http://[host]/~login as [user_x]. Then request (using a web browser): http://[user_y]:[anywrongpwd]@[host]/ --or-- b. send a direct request in the following format (does not require previous login): GET / HTTP/1.1 (...) Authorization: Basic dXNlcl95 Both alternatives could make an admin to believe that user Y has made the HTTP request when reviewing logs. Additional Considerations: * Vulnerabilities described here will not allow browsing protected files and folders. ---------------------------------------------------------------- Vulnerability Status: The author was contacted and HFS version 2.2c was released. The new version can be downloaded at www.rejetto.com/hfs/download or via the "Check for news/updates" option in the HFS menu. Testers of HFS 2.3 Beta should upgrade to the latest 2.3 beta build. HFS 2.3 Beta is only affected if the option "Accept any login for unprotected resources" is enabled. This option, introduced in this version, is disabled by default. ---------------------------------------------------------------- Credit: Felipe Aragon and Alec Storm Syhunt Security Research Team, www.syhunt.com --- Copyright © 2008 Syhunt Security Disclaimer: The information in this advisory is provided "as is" without warranty of any kind. Details provided are strictly for educational and defensive purposes. Syhunt is not liable for any damages caused by direct or indirect use of the information provided by this advisory.