Rejetto HTTP File Server (HFS) search feature fails to handle null bytes

ID VU:251276
Type cert
Reporter CERT
Modified 2014-10-06T19:16:00



Rejetto HTTP File Server (HFS) search feature in versions 2.3, 2.3a, and 2.3b fails to handle null bytes.


CWE-158: Improper Neutralization of Null Byte or NUL Character - CVE-2014-6287

Rejetto HFS versions 2.3, 2.3a, and 2.3b are vulnerable to remote command execution due to a regular expression in parserLib.pas that fails to handle null bytes. Commands that follow a null byte in the search string are executed on the host system. As an example, the following search submitted to a vulnerable HFS instance launches calculator on the host Microsoft Windows system:

http://<vulnerable instance>/?search==%00{.exec|calc.}

Note that this vulnerability is being exploited in the wild. A Metasploit module has been released to exploit this vulnerability.


A remote, unauthenticated user may be able to run arbitrary operating system commands on the server.


Apply an update
This issue is addressed in HFS version 2.3c and later, available here.

Vendor Information


Filter by status: All Affected Not Affected Unknown

Filter by content: __ Vendor has issued information

__ Sort by: Status Alphabetical

Expand all

Javascript is disabled. Click here to view vendors.

Rejetto Affected

Notified: October 03, 2014 Updated: October 06, 2014



Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References


This issue is addressed in HFS version 2.3c and later, available here.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

CVSS Metrics

Group | Score | Vector
Base | 7.5 | AV:N/AC:L/Au:N/C:P/I:P/A:P
Temporal | 6.2 | E:F/RL:OF/RC:C
Environmental | 4.6 | CDP:ND/TD:M/CR:ND/IR:ND/AR:ND


  • <>
  • <>
  • <>
  • <>
  • <>


This document was written by Joel Land.

Other Information

CVE IDs: | CVE-2014-6287
Date Public: | 2014-09-11
Date First Published: | 2014-10-06
Date Last Updated: | 2014-10-06 19:16 UTC
Document Revision: | 14