Vulnerability Description
Multiple directory traversal vulnerabilities in HTTP File Server (HFS) before 2.2c, when account names are used as log filenames, allow remote attackers to create arbitrary (1) files and (2) directories via a .. (dot dot) in an account name, when requesting the / URI; and (3) append arbitrary data to a file via a .. (dot dot) in an account name, when requesting a URI composed of a "/?%0a" sequence followed by the data.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Hfs | Http File Server | <= 2.2b |
Related Weaknesses (CWE)
References
- http://secunia.com/advisories/28631Vendor Advisory
- http://securityreason.com/securityalert/3581
- http://www.rejetto.com/hfs/?f=wnExploit
- http://www.securityfocus.com/archive/1/486873/100/0/threaded
- http://www.securityfocus.com/bid/27423
- http://www.syhunt.com/advisories/hfs-1-log.txt
- http://www.syhunt.com/advisories/hfshack.txtExploit
- https://exchange.xforce.ibmcloud.com/vulnerabilities/39873
- http://secunia.com/advisories/28631Vendor Advisory
- http://securityreason.com/securityalert/3581
- http://www.rejetto.com/hfs/?f=wnExploit
- http://www.securityfocus.com/archive/1/486873/100/0/threaded
- http://www.securityfocus.com/bid/27423
- http://www.syhunt.com/advisories/hfs-1-log.txt
- http://www.syhunt.com/advisories/hfshack.txtExploit
FAQ
What is CVE-2008-0405?
CVE-2008-0405 is a vulnerability with a CVSS score of 10.0 (HIGH). Multiple directory traversal vulnerabilities in HTTP File Server (HFS) before 2.2c, when account names are used as log filenames, allow remote attackers to create arbitrary (1) files and (2) directori...
How severe is CVE-2008-0405?
CVE-2008-0405 has been rated HIGH with a CVSS base score of 10.0/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2008-0405?
Check the references section above for vendor advisories and patch information. Affected products include: Hfs Http File Server.