Software Engineering Institute

CWE-158: Improper Neutralization of Null Byte or NUL Character - CVE-2014-6287

Rejetto HFS versions 2.3, 2.3a, and 2.3b are vulnerable to remote command execution due to a regular expression in parserLib.pas that fails to handle null bytes. Commands that follow a null byte in the search string are executed on the host system. As an example, the following search submitted to a vulnerable HFS instance launches calculator on the host Microsoft Windows system:

http://<vulnerable instance>/?search==%00{.exec|calc.}

Note that this vulnerability is being exploited in the wild. A Metasploit module has been released to exploit this vulnerability.

A remote, unauthenticated user may be able to run arbitrary operating system commands on the server.

Apply an update
This issue is addressed in HFS version 2.3c and later, available here.