Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2024-39943 PoC — rejetto HFS 安全漏洞

Source
https://github.com/Heyholiday067/CVE-2024-39943-Poc
Associated Vulnerability
Title:rejetto HFS 安全漏洞 (CVE-2024-39943)
Description:rejetto HFS是意大利Massimo Melina个人开发者的一款基于Web的文件服务器。 rejetto HFS 0.52.10之前版本存在安全漏洞,该漏洞源于允许经过身份验证的远程用户执行操作系统命令。
Description
CVE-2024-39943 rejetto HFS (aka HTTP File Server) 3 before 0.52.10 on Linux, UNIX, and macOS allows OS command execution by remote authenticated users (if they have Upload permissions). This occurs because a shell is used to execute df (i.e., with execSync instead of spawnSync in child_process in Node.js).
Readme
# CVE-2024-39943-Poc
CVE-2024-39943 rejetto HFS (aka HTTP File Server) 3 before 0.52.10 on Linux, UNIX, and macOS allows OS command execution by remote authenticated users (if they have Upload permissions). This occurs because a shell is used to execute df (i.e., with execSync instead of spawnSync in child_process in Node.js).

Deploy: ``` ./hfs --config config.yaml ```


https://github.com/truonghuuphuc/CVE-2024-39943-Poc/assets/20487674/c9e3d7ec-9181-43b5-8230-82c36fbf8a2b
File Snapshot

 [4.0K]  /data/pocs/b9c17fbaea8c4fa28f28fc0be25f62869de695ef
├── [ 199]  config.yaml
├── [ 23M]  hfs-linux.zip
├── [1.0K]  poc.py
└── [ 481]  README.md

1 directory, 4 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).
    3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.