rejetto forum

Software => HFS ~ HTTP File Server => Topic started by: elektroinside on November 03, 2014, 05:01:07 PM

Title: Rejetto HTTP File Server (HFS) search feature fails to handle null bytes
Post by: elektroinside on November 03, 2014, 05:01:07 PM

Hi,

If this has been mentioned before, sorry.

I just found this: http://www.kb.cert.org/vuls/id/251276

Description
CWE-158: Improper Neutralization of Null Byte or NUL Character - CVE-2014-6287
Rejetto HFS versions 2.3, 2.3a, and 2.3b are vulnerable to remote command execution due to a regular expression in parserLib.pas that fails to handle null bytes. Commands that follow a null byte in the search string are executed on the host system.

Might be something to fix though, as i just restarted the entire windows machine with this one...

Thanks!

Title: Re: Rejetto HTTP File Server (HFS) search feature fails to handle null bytes
Post by: xpl01t on November 05, 2014, 03:26:45 PM

Thanks for your report, by the way this vulnerability was already fixed in the last version

Title: Re: Rejetto HTTP File Server (HFS) search feature fails to handle null bytes
Post by: rejetto on November 06, 2014, 10:52:47 AM

elektroinside, you my have disabled (or ignored) automatic updates.