CVE-2008-0408
https://notcve.org/view.php?id=CVE-2008-0408
HTTP File Server (HFS) before 2.2c allows remote attackers to append arbitrary text to the log file by using the base64 representation of this text during HTTP Basic Authentication. HTTP File Server (HFS) versiones anteriores a 2.2c permite a atacantes remotos añadir texto de su elección en el fichero de trazas utilizando la representación base64 del texto durante la la Autenticación HTTP Básica. • http://secunia.com/advisories/28631 http://securityreason.com/securityalert/3582 http://www.rejetto.com/hfs/?f=wn http://www.securityfocus.com/archive/1/486874/100/0/threaded http://www.securityfocus.com/bid/27423 http://www.syhunt.com/advisories/hfs-1-username.txt http://www.syhunt.com/advisories/hfshack.txt https://exchange.xforce.ibmcloud.com/vulnerabilities/39876 • CWE-287: Improper Authentication •
CVE-2008-0405
https://notcve.org/view.php?id=CVE-2008-0405
Multiple directory traversal vulnerabilities in HTTP File Server (HFS) before 2.2c, when account names are used as log filenames, allow remote attackers to create arbitrary (1) files and (2) directories via a .. (dot dot) in an account name, when requesting the / URI; and (3) append arbitrary data to a file via a .. (dot dot) in an account name, when requesting a URI composed of a "/?%0a" sequence followed by the data. Múltiples vulnerabilidades de salto de directorio en HTTP File Server (HFS) versiones anteriores a 2.2c, cuando los nombres de cuenta se utilizan como ficheros de traza, permite a atacantes remotos crear (1) ficheros y (2) directorios mediante .. • http://secunia.com/advisories/28631 http://securityreason.com/securityalert/3581 http://www.rejetto.com/hfs/?f=wn http://www.securityfocus.com/archive/1/486873/100/0/threaded http://www.securityfocus.com/bid/27423 http://www.syhunt.com/advisories/hfs-1-log.txt http://www.syhunt.com/advisories/hfshack.txt https://exchange.xforce.ibmcloud.com/vulnerabilities/39873 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVE-2008-0406 – Rejetto HTTP File Server (HFS) 1.5/2.x - Multiple Vulnerabilities
https://notcve.org/view.php?id=CVE-2008-0406
HTTP File Server (HFS) before 2.2c, when account names are used as log filenames, allows remote attackers to cause a denial of service (daemon crash) via a long account name. HTTP File Server (HFS) versiones anteriores a 2.2c, cuando los nombres de cuenta se utilizan como ficheros de traza, permite a atacantes remotos provocar una denegación de servicio (caída de demonio) mediante un nombre de cuenta largo. • https://www.exploit-db.com/exploits/31056 http://secunia.com/advisories/28631 http://securityreason.com/securityalert/3581 http://www.rejetto.com/hfs/?f=wn http://www.securityfocus.com/archive/1/486873/100/0/threaded http://www.securityfocus.com/bid/27423 http://www.syhunt.com/advisories/hfs-1-log.txt http://www.syhunt.com/advisories/hfshack.txt https://exchange.xforce.ibmcloud.com/vulnerabilities/39875 • CWE-20: Improper Input Validation •
CVE-2008-0409
https://notcve.org/view.php?id=CVE-2008-0409
Cross-site scripting (XSS) vulnerability in HTTP File Server (HFS) before 2.2c allows remote attackers to inject arbitrary web script or HTML via the userinfo subcomponent of a URL. Vulnerabilidad de secuencias de comandos en sitios cruzados (XSS) en HTTP File Server (HFS) versiones anteriores a 2.2c permite a atacantes remotos inyectar scripts web o HTML de su elección mediante el subcomponente userinfo de un URL. HFS versions 2.3 through 2.0 suffer from cross site scripting and information disclosure vulnerabilities. • http://secunia.com/advisories/28631 http://securityreason.com/securityalert/3583 http://www.rejetto.com/hfs/?f=wn http://www.securityfocus.com/archive/1/486872/100/0/threaded http://www.securityfocus.com/bid/27423 http://www.syhunt.com/advisories/hfs-1-template.txt http://www.syhunt.com/advisories/hfshack.txt https://exchange.xforce.ibmcloud.com/vulnerabilities/39870 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2008-0410
https://notcve.org/view.php?id=CVE-2008-0410
HTTP File Server (HFS) before 2.2c allows remote attackers to obtain configuration and usage details by using an id element such as <id>%version%</id> in HTTP Basic Authentication instead of a username and password, as demonstrated by placing this id element in the userinfo subcomponent of a URL. HTTP File Server (HFS) versiones anteriores a 2.2c permite a atacantes remotos obtener detalles de la configuración y uso utilizando un elmento id tal como <id>%version%</id> en la Autenticación HTTP Básica en vez de un usuario y contraseña, como se demuestra al ubicar este elemento id en el sub componente userinfo de un URL. HFS versions 2.3 through 2.0 suffer from cross site scripting and information disclosure vulnerabilities. • http://secunia.com/advisories/28631 http://securityreason.com/securityalert/3583 http://www.rejetto.com/hfs/?f=wn http://www.securityfocus.com/archive/1/486872/100/0/threaded http://www.securityfocus.com/bid/27423 http://www.syhunt.com/advisories/hfs-1-template.txt http://www.syhunt.com/advisories/hfshack.txt https://exchange.xforce.ibmcloud.com/vulnerabilities/39871 • CWE-287: Improper Authentication •