Alec Storm

**Name of the Vulnerable Software and Affected Versions** HTTP File Server (HFS) versions prior to 2.2c **Description** The issue allows remote attackers to cause a denial of service, resulting in a daemon crash, by utilizing a long account name when account names are used as log filenames. **Recommendations** For versions prior to 2.2c, update to version 2.2c or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** HTTP File Server (HFS) versions prior to 2.2c **Description** The issue allows remote attackers to append arbitrary text to the log file by using the base64 representation of this text during HTTP Basic Authentication. **Recommendations** For versions prior to 2.2c, update to version 2.2c or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** HTTP File Server (HFS) versions prior to 2.2c **Description** The issue allows remote attackers to obtain configuration and usage details. This can be achieved by using a specific `id` element, such as `<id>%version%</id>`, in HTTP Basic Authentication instead of a username and password. For example, an attacker could place this `id` element in the `userinfo` subcomponent of a URL, like `'http://example.com/%3Cid%3E%25version%25%3C/id%3E'`, to exploit this issue. **Recommendations** For versions prior to 2.2c, update to version 2.2c or later to resolve the issue. As a temporary workaround, consider restricting access to the HTTP File Server until the update can be applied.