rejetto forum
Software => HFS ~ HTTP File Server => Bug reports => Topic started by: D on July 25, 2023, 05:00:40 AM
-
https://www.cvedetails.com/cve/CVE-2020-13432/
rejetto HFS (aka HTTP File Server) v2.3m Build #300, when virtual files or folders are used, allows remote attackers to trigger an invalid-pointer write access violation via concurrent HTTP requests with a long URI or long HTTP headers.
Confidentiality Impact: None (There is no impact to the confidentiality of the system.)
Integrity Impact: None (There is no impact to the integrity of the system)
Availability Impact: Partial (There is reduced performance or interruptions in resource availability.)
Access Complexity: Low (Specialized access conditions or extenuating circumstances do not exist. Very little knowledge or skill is required to exploit. )
Authentication: Not required (Authentication is not required to exploit the vulnerability.)
If I read it correctly, this is a DoS solution that can't deal real damage, such as remote code execution?
Which HFS version is more secure (2.3m / 2.4 / 3.0)? Logically, not the beta versions, but they may have some vulnernabilities patched, I guess.
-
If I read it correctly, this is a DoS solution that can't deal real damage, such as remote code execution?
That's right, this is only a DoS (https://en.wikipedia.org/wiki/Denial-of-service_attack) issue, that could have a performance impact (it does NOT have a 'remote code execution' vulnerability). This was fixed in v2.4.0 RC1 (https://github.com/rejetto/hfs2/releases/tag/v2.4-rc01), so if you want to avoid this issue, you can use that version (or any other later version, like v2.4 RC07 (https://github.com/rejetto/hfs2/releases/tag/v2.4-rc07)). HFS v3.0 (https://github.com/rejetto/hfs/releases) is a new software, that has been totally rewritten from the ground up (it has nothing to do with the old code of HFS v2.x).
Which HFS version is more secure (2.3m / 2.4 / 3.0)? Logically, not the beta versions, but they may have some vulnernabilities patched, I guess.
About 'which HFS version is more secure', in terms of security, it is always best to stick with the latest available version (this applies to any other software too). But the decision is always up to the end user.