#######################################################################

                             Luigi Auriemma

Application:  HTTP File Server
              http://www.rejetto.com/hfs/
Versions:     refer to the Date field
Platforms:    Windows and Linux
Bugs:         A] authorization bypass
              B] endless loop
Exploitation: remote
Date:         A] 16 Oct 2008
              B] 05 Feb 2009
Author:       Luigi Auriemma
              e-mail: aluigi@autistici.org
              web:    aluigi.org


#######################################################################


1) Introduction
2) Bugs
3) The Code
4) Fix


#######################################################################

===============
1) Introduction
===============


HFS is a very nice and small file server for Windows easy to use and
with many interesting features.


#######################################################################

=======
2) Bugs
=======

-----------------------
A] authorization bypass
-----------------------

Appending %00 to the URL is possible to download any file located in a
private folder protected by password.
The server returns the HTTP code 401 instead of 200 but the file will
be transmitted normally.


---------------
B] endless loop
---------------

Some particular chars (like '%') cause an endless loop that freezes the
server.


#######################################################################

===========
3) The Code
===========

A]
http://SERVER/protected_folder/secret_file.txt%00

B]
http://SERVER/?search=%25%25


#######################################################################

======
4) Fix
======


All bugs fixed the same day of the reports.


#######################################################################