Syhunt: HFS (HTTP File Server) Template Cross-Site Scripting and Information Disclosure Vulnerabilities Advisory-ID: 200801161 Discovery Date: 1.16.2008 Release Date: 1.23.2008 Affected Applications: HFS 2.0 to and including 2.3(Beta Build #174) Non-Affected Applications: HFS 1.6a and earlier versions Class: Cross-Site Scripting (XSS), Information Disclosure Status: Patch available/Vendor informed Vendor: Massimo Melina Vendor URL: http://www.rejetto.com/hfs -or- hfs.sourceforge.net The Common Vulnerabilities and Exposures (CVE) project has assigned the following CVEs to these vulnerabilities: * CVE-2008-0409 - Cross-Site Scripting (XSS) and Host Field XSS * CVE-2008-0410 - Information Disclosure Vulnerability ---------------------------------------------------------------- Overview: HFS is a very popular open source HTTP server designed for easily sharing files. According to information on the official website, the HTTP File Server software has been downloaded about 2 million times. Description: When a specific URL is visited, HFS displays a non-existent account name in the response body. This non-existent account name can be HTML code, allowing a remote attacker to use this to launch XSS attacks. Because the HTML code is also recognized by the web server as a HFS HTML template, it is also possible to inject symbols to force HFS to reveal details about the server (eg, current HFS server version, build, connections, timestamp, uptime, current outbound and inbound speed, and more). Technical details are included below. ---------------------------------------------------------------- Details (Replicating the issues): 1) Cross-Site Scripting (XSS) and Host Field XSS Vulnerabilities Example 1 - Launching a basic XSS: http://