CVE-2008-0407

HTTP File Server (HFS) before 2.2c tags HTTP request log entries with the username sent during HTTP Basic Authentication, regardless of whether authentication succeeded, which might make it more difficult for an administrator to determine who made a remote request.

CVSS v2.0 5.0 MEDIUM

5.0^/10

CVSS v2.0 : MEDIUM

Vector : AV:N/AC:L/Au:N/C:P/I:N/A:N

Exploitability : 10.0 / Impact : 2.9

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact NONE

Availability Impact NONE

References

Link	Resource
http://www.rejetto.com/hfs/?f=wn
http://www.syhunt.com/advisories/hfs-1-username.txt
http://www.syhunt.com/advisories/hfshack.txt	Exploit
http://secunia.com/advisories/28631	Vendor Advisory
http://securityreason.com/securityalert/3582
http://www.securityfocus.com/bid/27423
https://exchange.xforce.ibmcloud.com/vulnerabilities/39877
http://www.securityfocus.com/archive/1/486874/100/0/threaded

Advertisement

Configurations

Configuration 1 (hide)

cpe:2.3:a:hfs:http_file_server:*:*:*:*:*:*:*:*

Information

Published : 2008-01-28 16:00

Updated : 2018-10-15 14:59

NVD link : CVE-2008-0407

Mitre link : CVE-2008-0407

JSON object : View

CWE

CWE-287

Improper Authentication

Advertisement

Products Affected

hfs

http_file_server

{"cve": {"data_type": "CVE", "references": {"reference_data": [{"url": "http://www.rejetto.com/hfs/?f=wn", "name": "http://www.rejetto.com/hfs/?f=wn", "tags": [], "refsource": "MISC"}, {"url": "http://www.syhunt.com/advisories/hfs-1-username.txt", "name": "http://www.syhunt.com/advisories/hfs-1-username.txt", "tags": [], "refsource": "MISC"}, {"url": "http://www.syhunt.com/advisories/hfshack.txt", "name": "http://www.syhunt.com/advisories/hfshack.txt", "tags": ["Exploit"], "refsource": "MISC"}, {"url": "http://secunia.com/advisories/28631", "name": "28631", "tags": ["Vendor Advisory"], "refsource": "SECUNIA"}, {"url": "http://securityreason.com/securityalert/3582", "name": "3582", "tags": [], "refsource": "SREASON"}, {"url": "http://www.securityfocus.com/bid/27423", "name": "27423", "tags": [], "refsource": "BID"}, {"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/39877", "name": "hfs-username-spoofing(39877)", "tags": [], "refsource": "XF"}, {"url": "http://www.securityfocus.com/archive/1/486874/100/0/threaded", "name": "20080123 Syhunt: HFS (HTTP File Server) Username Spoofing and Log Forging/Injection Vulnerability", "tags": [], "refsource": "BUGTRAQ"}]}, "data_format": "MITRE", "description": {"description_data": [{"lang": "en", "value": "HTTP File Server (HFS) before 2.2c tags HTTP request log entries with the username sent during HTTP Basic Authentication, regardless of whether authentication succeeded, which might make it more difficult for an administrator to determine who made a remote request."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "en", "value": "CWE-287"}]}]}, "data_version": "4.0", "CVE_data_meta": {"ID": "CVE-2008-0407", "ASSIGNER": "cve@mitre.org"}}, "impact": {"baseMetricV2": {"cvssV2": {"version": "2.0", "baseScore": 5.0, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "authentication": "NONE", "integrityImpact": "NONE", "accessComplexity": "LOW", "availabilityImpact": "NONE", "confidentialityImpact": "PARTIAL"}, "severity": "MEDIUM", "impactScore": 2.9, "obtainAllPrivilege": false, "exploitabilityScore": 10.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}}, "publishedDate": "2008-01-29T00:00Z", "configurations": {"nodes": [{"children": [], "operator": "OR", "cpe_match": [{"cpe23Uri": "cpe:2.3:a:hfs:http_file_server:*:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true, "versionEndIncluding": "2.2b"}]}], "CVE_data_version": "4.0"}, "lastModifiedDate": "2018-10-15T21:59Z"}