{"vuid":"VU#251276","idnumber":"251276","name":"Rejetto HTTP File Server (HFS) search feature fails to handle null bytes","keywords":["Rejetto","HFS","remote command execution","CWE-158"],"overview":"Rejetto HTTP File Server (HFS) search feature in versions 2.3, 2.3a, and 2.3b fails to handle null bytes.","clean_desc":"CWE-158: Improper Neutralization of Null Byte or NUL Character - CVE-2014-6287 Rejetto HFS versions 2.3, 2.3a, and 2.3b are vulnerable to remote command execution due to a regular expression in parserLib.pas that fails to handle null bytes. Commands that follow a null byte in the search string are executed on the host system. As an example, the following search submitted to a vulnerable HFS instance launches calculator on the host Microsoft Windows system: http://<vulnerable instance>/?search==%00{.exec|calc.} Note that this vulnerability is being exploited in the wild. A Metasploit module has been released to exploit this vulnerability.","impact":"A remote, unauthenticated user may be able to run arbitrary operating system commands on the server.","resolution":"Apply an update\nThis issue is addressed in HFS version 2.3c and later, available here.","workarounds":"","sysaffected":"","thanks":"","author":"This document was written by Joel Land.","public":["http://cwe.mitre.org/data/definitions/158.html","http://www.rejetto.com/hfs/","http://sourceforge.net/projects/hfs/","http://packetstormsecurity.com/files/128243/HttpFileServer-2.3.x-Remote-Command-Execution.html","https://github.com/rapid7/metasploit-framework/pull/3793"],"cveids":["CVE-2014-6287"],"certadvisory":"","uscerttechnicalalert":null,"datecreated":"2014-09-24T12:45:10Z","publicdate":"2014-09-11T00:00:00Z","datefirstpublished":"2014-10-06T19:16:11Z","dateupdated":"2014-10-06T19:16:11Z","revision":14,"vrda_d1_directreport":"1","vrda_d1_population":"3","vrda_d1_impact":"3","cam_widelyknown":"0","cam_exploitation":"0","cam_internetinfrastructure":"0","cam_population":"0","cam_impact":"0","cam_easeofexploitation":"0","cam_attackeraccessrequired":"0","cam_scorecurrent":"0","cam_scorecurrentwidelyknown":"0","cam_scorecurrentwidelyknownexploited":"0","ipprotocol":"","cvss_accessvector":"N","cvss_accesscomplexity":"L","cvss_authentication":null,"cvss_confidentialityimpact":"P","cvss_integrityimpact":"P","cvss_availabilityimpact":"P","cvss_exploitablity":null,"cvss_remediationlevel":"OF","cvss_reportconfidence":"C","cvss_collateraldamagepotential":"ND","cvss_targetdistribution":"M","cvss_securityrequirementscr":"ND","cvss_securityrequirementsir":"ND","cvss_securityrequirementsar":"ND","cvss_basescore":"7.5","cvss_basevector":"AV:N/AC:L/Au:N/C:P/I:P/A:P","cvss_temporalscore":"6.2","cvss_environmentalscore":"4.63955305511841","cvss_environmentalvector":"CDP:ND/TD:M/CR:ND/IR:ND/AR:ND","metric":0.0,"vulnote":null}