CVE-2008-0407

HFS HTTP File Server < 2.2b - Authentication Bypass

Title source: rule

Description

HTTP File Server (HFS) before 2.2c tags HTTP request log entries with the username sent during HTTP Basic Authentication, regardless of whether authentication succeeded, which might make it more difficult for an administrator to determine who made a remote request.

References (8)

[Vendor Advisory] http://secunia.com/advisories/28631

[Various Sources] http://www.rejetto.com/hfs/?f=wn

[Various Sources] http://www.syhunt.com/advisories/hfs-1-username.txt

[Exploit] http://www.syhunt.com/advisories/hfshack.txt

[Third Party Advisory, VDB Entry] https://exchange.xforce.ibmcloud.com/vulnerabilities/39877

[Third Party Advisory, VDB Entry] http://www.securityfocus.com/archive/1/486874/100/0/threaded

[Third Party Advisory, VDB Entry] http://www.securityfocus.com/bid/27423

[Third Party Advisory] http://securityreason.com/securityalert/3582

Scores

EPSS 0.0044

EPSS Percentile 62.9%

Classification

CWE

CWE-287

Status draft

Affected Products (1)

hfs/http_file_server < 2.2b

Timeline

Published Jan 29, 2008

Tracked Since Feb 18, 2026