yes Mars, i'm on the road a tad to much these days for construction in the states.
most of my time and comments are from a phone.
My apologies. Any ways here is what Im trying to say:
Anyone aware of this problem and is there a way to mitigate this ?
according to Checkpoint advisory cpai-2019-0748 and mitre.org CVE ID CVE-2014-6287
Seems an old bug that emerged again. (?)
So, I follow the "cve" and pay close attention to the cve reports and the comments and there responses here...
Most CVE reports regarding HFS as they are filed respond to older version regarding hfs 2.3b that had a bad template and base code in witch you could use machine code such as the null byte to do some command execution to the pc remotely... This is one of those reports and as it has been fixed,patched and the stable is not affected by that report, i see no problem. I'm aware of a Security con that a Professor using HFS in a virtual machine to show how web browsing security works and he uses the hfs 2.3b version in his class and study for ethical hacking...
those are some of his reports which is why it looks like a false postie duplication, because the same info is added into the 2014 version of the cve in witch with rejeto responded too and patched/fixed.
the orginal CVE remote execution bug was a problem that from my understanding lied on the default hfs template, in witch a user can still (???potentialy use a bad template) and be affected. the stable default template (Some good users template such as DJ and Danny works) are all stable and don't exhibit bugs in this way.
It may be possible in the current version of hfs with that bad template that one might be able or can get similar remote execution.
I have not been able to replicate that issue since the patch version 2.3 h i believe...
Since then this CVE report is from a new Av pick up on the macro and its find in the the ".execute" macro command...
I was trying to find the original source and there test because it claims that there is still a issue in the pascal lib file that stable version of hfs uses...
*but from what i can find there is no remote execution issue with the latest default template and a fresh download of the current hfs version 2.3 m
The CVE reported a version "2.3 x" in the orginal report
so the beta might be being tested as a stable... atm idk as im doing more research on it
----------------------------------------------
For all CVE repotr both new and old see here:
https://www.cvedetails.com/vulnerability-list/vendor_id-14180/Rejetto.htmlto be clear the CVE that you are inquiring on is in regards to 2.3 b a bad version of hfs that does exhibit the remote execution code and atm as far as i can tell is only available via source compilation.
Qute from the CVE
"2.3x before 2.3c allows remote attackers to execute arbitrary programs via a %00 sequence in a search action."
to be clear This doesn't affect hfs version 2.3 m, and i believe it was a late post reply in regard to the old CVE report
----------------
@ to whom it may concern
you could adjust mime types to disallow the execution of file such as *.exe and what not via adding a mimetype and using "text/html"
or subtype for scripts to run:
https://developer.mozilla.org/en-US/docs/Web/HTTP/Basics_of_HTTP/MIME_types