rejetto forum

A question about HFS v2.3m vulnerability

D · 2 · 6042

0 Members and 1 Guest are viewing this topic.

Offline D

  • Occasional poster
  • *
    • Posts: 28
    • View Profile
https://www.cvedetails.com/cve/CVE-2020-13432/

Quote
rejetto HFS (aka HTTP File Server) v2.3m Build #300, when virtual files or folders are used, allows remote attackers to trigger an invalid-pointer write access violation via concurrent HTTP requests with a long URI or long HTTP headers.

Confidentiality Impact: None (There is no impact to the confidentiality of the system.)
Integrity Impact: None (There is no impact to the integrity of the system)
Availability Impact: Partial (There is reduced performance or interruptions in resource availability.)
Access Complexity: Low (Specialized access conditions or extenuating circumstances do not exist. Very little knowledge or skill is required to exploit. )
Authentication: Not required (Authentication is not required to exploit the vulnerability.)
If I read it correctly, this is a DoS solution that can't deal real damage, such as remote code execution?

Which HFS version is more secure (2.3m / 2.4 / 3.0)? Logically, not the beta versions, but they may have some vulnernabilities patched, I guess.


Offline LeoNeeson

  • Tireless poster
  • ****
    • Posts: 859
  • Status: On hiatus       (sporadically here)
    • View Profile
    • twitter.com/LeoNeeson
If I read it correctly, this is a DoS solution that can't deal real damage, such as remote code execution?
That's right, this is only a DoS issue, that could have a performance impact (it does NOT have a 'remote code execution' vulnerability). This was fixed in v2.4.0 RC1, so if you want to avoid this issue, you can use that version (or any other later version, like v2.4 RC07). HFS v3.0 is a new software, that has been totally rewritten from the ground up (it has nothing to do with the old code of HFS v2.x).

Which HFS version is more secure (2.3m / 2.4 / 3.0)? Logically, not the beta versions, but they may have some vulnernabilities patched, I guess.
About 'which HFS version is more secure', in terms of security, it is always best to stick with the latest available version (this applies to any other software too). But the decision is always up to the end user.
HFS in Spanish (HFS en Español) / How to compile HFS (Tutorial)
» Currently taking a break, until HFS v2.4 get his stable version.