Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Vulnerabilities » CVE-2008-0405

Overview

Vulnerability Score 10.0 10.0
CVE Id CVE-2008-0405
Last Modified 16 Sep 2009 01:14:42
Published 28 Jan 2008 07:00:00
Confidentiality Impact COMPLETE COMPLETE
Integrity Impact COMPLETE COMPLETE
Availability Impact COMPLETE COMPLETE
Access Vector NETWORK
Access Complexity LOW
Authentication NONE

CVE-2008-0405

Summary

Multiple directory traversal vulnerabilities in HTTP File Server (HFS) before 2.2c, when account names are used as log filenames, allow remote attackers to create arbitrary (1) files and (2) directories via a .. (dot dot) in an account name, when requesting the / URI; and (3) append arbitrary data to a file via a .. (dot dot) in an account name, when requesting a URI composed of a "/?%0a" sequence followed by the data.

Vulnerable Systems

Application

  • Hfs Http File Server 2.2b


References

XF - hfs-unspecified-command-execution(39873)

MISC - http://www.syhunt.com/advisories/hfshack.txt

BID - 27423

BUGTRAQ - 20080123 Syhunt: HFS (HTTP File Server) Log Arbitrary File/Directory Manipulation and Denial-of-Service Vulnerabilities

MISC - http://www.rejetto.com/hfs/?f=wn

SECUNIA - 28631

SREASON - 3581


Last Updated: 27 May 2016 10:46:47