Cross site request forgery (csrf)

HTTP File Server HFS before 2.2c tags HTTP request log entries with the username sent during HTTP Basic Authentication, regardless of whether authentication succeeded, which might make it more difficult for an administrator to determine who made a remote request...

CVE-2008-0406

HTTP File Server HFS before 2.2c, when account names are used as log filenames, allows remote attackers to cause a denial of service daemon crash via a long account name...

Cross site scripting

Cross-site scripting XSS vulnerability in HTTP File Server HFS before 2.2c allows remote attackers to inject arbitrary web script or HTML via the userinfo subcomponent of a URL...

CVE-2008-0410

CVE-2008-0410 affects HFS (HTTP File Server) prior to 2.2c. The vulnerability enables information disclosure by placing an id element in the userinfo portion of a URL used for HTTP Basic Authentication (e.g., %version%). Remote attackers can obtain configuration and usage details from the server,...

CVE-2008-0406

CVE-2008-0406 affects HFS (HTTP File Server) prior to 2.2c, where using account names as log filenames allows a remote attacker to trigger a DoS (daemon crash) via a long account name. The issue stems from how logs are named and written when the %user% template is used; exploited input can overfl...

CVE-2008-0406

HTTP File Server HFS before 2.2c, when account names are used as log filenames, allows remote attackers to cause a denial of service daemon crash via a long account name...

CVE-2008-0408

HTTP File Server HFS before 2.2c allows remote attackers to append arbitrary text to the log file by using the base64 representation of this text during HTTP Basic Authentication...

CVE-2008-0409

CVE-2008-0409 describes a cross-site scripting (XSS) vulnerability in HTTP File Server (HFS) prior to 2.2c. The issue arises from how the server handles the userinfo subcomponent of a URL, allowing remote attackers to inject arbitrary web script or HTML into responses. Affected product: HFS (HTTP...

CVE-2008-0409

Cross-site scripting XSS vulnerability in HTTP File Server HFS before 2.2c allows remote attackers to inject arbitrary web script or HTML via the userinfo subcomponent of a URL...

CVE-2008-0407

HTTP File Server HFS before 2.2c tags HTTP request log entries with the username sent during HTTP Basic Authentication, regardless of whether authentication succeeded, which might make it more difficult for an administrator to determine who made a remote request...

CVE-2008-0405

Multiple directory traversal vulnerabilities in HTTP File Server HFS before 2.2c, when account names are used as log filenames, allow remote attackers to create arbitrary 1 files and 2 directories via a .. dot dot in an account name, when requesting the / URI; and 3 append arbitrary data to a fil...

CVE-2008-0408

CVE-2008-0408 (HFS) : HTTP File Server versions before 2.2c are vulnerable to a logfile manipulation flaw. Remote attackers can cause arbitrary text to be appended to the server log by sending text encoded in base64 during HTTP Basic Authentication. This is a log forging/injection issue that can ...

CVE-2008-0407

CVE-2008-0407 affects HFS (HTTP File Server) up to version 2.2c. The vulnerability is a Username Spoofing issue where the server logs the username presented during HTTP Basic Authentication in request logs, even if authentication fails, which can mislead administrators about who actually made a r...

CVE-2008-0405

CVE-2008-0405 affects HTTP File Server (HFS) and describes multiple directory traversal flaws in versions prior to 2.2c. When account names are used for log filenames, an attacker can trigger traversal with .. in the account name to create arbitrary files and directories via the / URI, and can ap...

HFS HTTP File Server多个远程安全漏洞

BUGTRAQ ID: 27423 CVECAN ID: CVE-2008-0405,CVE-2008-0406,CVE-2008-0407,CVE-2008-0408,CVE-2008-0409,CVE-2008-0410 HTTP File Server是用于共享文件的开源HTTP服务器。 HFS没有正确地记录某些输入，用户可以在登陆时伪造用户名将任意内容注入到日志文件中。 HFS没有正确地过滤某些输入便将其返回给了用户，这可能导致在受影响服务器的用户浏览器会话中执行任意HTML和脚本代码。...

HFS HTTP File Server存在多个漏洞

HFS HTTP File Server是一款HTTP文件服务程序。 HFS HTTP File Server存在多个安全问题，远程攻击者可以利用漏洞进行跨站脚本，信息泄漏，拒绝服务，任意文件建立和用户名伪造等攻击。 1）使用"mkd"和"manipf"命令可导致任意文件和目录建立或操作： mkd ..\Syhunt manipf inject.html ..\Syhunt\index.html 2）发送特殊构建的请求，可导致服务程序崩溃。 3）不正确过滤用户的URI输入，可导致跨站脚本攻击：...

hfs-xss.txt

Syhunt: HFS HTTP File Server Template Cross-Site Scripting and Information Disclosure Vulnerabilities Advisory-ID: 200801161 Discovery Date: 1.16.2008 Release Date: 1.23.2008 Affected Applications: HFS 2.0 to and including 2.3Beta Build 174 Non-Affected Applications: HFS 1.6a and earlier versions...

Syhunt: HFS (HTTP File Server) Log Arbitrary File/Directory Manipulation and Denial-of-Service Vulnerabilities

Syhunt: HFS HTTP File Server Log Arbitrary File/Directory Manipulation and Denial-of-Service Vulnerabilities Advisory-ID: 200801162 Discovery Date: 1.16.2008 Release Date: 1.23.2008 Affected Applications: HFS 2.2 to and including 2.3Beta Build 174 Non-Affected Applications: HFS 2.1d and earlier...

Syhunt: HFS (HTTP File Server) Template Cross-Site Scripting and Information Disclosure Vulnerabilities

Syhunt: HFS HTTP File Server Template Cross-Site Scripting and Information Disclosure Vulnerabilities Advisory-ID: 200801161 Discovery Date: 1.16.2008 Release Date: 1.23.2008 Affected Applications: HFS 2.0 to and including 2.3Beta Build 174 Non-Affected Applications: HFS 1.6a and earlier versions...

Syhunt: HFS (HTTP File Server) Username Spoofing and Log Forging/Injection Vulnerability

Syhunt: HFS HTTP File Server Username Spoofing and Log Forging/Injection Vulnerability Advisory-ID: 200801163 Discovery Date: 1.16.2008 Release Date: 1.23.2008 Affected Applications: HFS 1.5g to and including 2.3Beta Build 174; and possibly HFS version 1.5f Non-Affected Applications: HFS 1.5e and...