Vulnerability Note VU#251276

Rejetto HTTP File Server (HFS) search feature fails to handle null bytes

Original Release date: 06 Oct 2014 | Last revised: 06 Oct 2014


Rejetto HTTP File Server (HFS) search feature in versions 2.3, 2.3a, and 2.3b fails to handle null bytes.


CWE-158: Improper Neutralization of Null Byte or NUL Character - CVE-2014-6287

Rejetto HFS versions 2.3, 2.3a, and 2.3b are vulnerable to remote command execution due to a regular expression in parserLib.pas that fails to handle null bytes. Commands that follow a null byte in the search string are executed on the host system. As an example, the following search submitted to a vulnerable HFS instance launches calculator on the host Microsoft Windows system:

http://<vulnerable instance>/?search==%00{.exec|calc.}

Note that this vulnerability is being exploited in the wild. A Metasploit module has been released to exploit this vulnerability.


A remote, unauthenticated user may be able to run arbitrary operating system commands on the server.


Apply an update
This issue is addressed in HFS version 2.3c and later, available here.

Vendor Information (Learn More)

VendorStatusDate NotifiedDate Updated
RejettoAffected03 Oct 201406 Oct 2014
If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

Group Score Vector
Base 7.5 AV:N/AC:L/Au:N/C:P/I:P/A:P
Temporal 6.2 E:F/RL:OF/RC:C
Environmental 4.6 CDP:ND/TD:M/CR:ND/IR:ND/AR:ND



This document was written by Joel Land.

Other Information

  • CVE IDs: CVE-2014-6287
  • Date Public: 11 Sep 2014
  • Date First Published: 06 Oct 2014
  • Date Last Updated: 06 Oct 2014
  • Document Revision: 14


If you have feedback, comments, or additional information about this vulnerability, please send us email.