Advisory-ID: 200801161 Discovery Date: 1.16.2008 Release Date: 1. Dungeon Siege 2 Pc Iso Complete R. 23.2008 Affected Applications: HFS 2.0 to and including 2. Israel Houghton Jesus At The Center Album. 3(Beta Build #174) Non-Affected Applications: HFS 1.6a and earlier versions Class: Cross-Site Scripting (XSS), Information Disclosure Status: Patch available/Vendor informed Vendor: Massimo Melina Vendor URL: -or- The Common Vulnerabilities and Exposures (CVE) project has assigned the following CVEs to these vulnerabilities: • CVE-2008-0409 - Cross-Site Scripting (XSS) and Host Field XSS • CVE-2008-0410 - Information Disclosure Vulnerability. Overview: HFS is a very popular open source HTTP server designed for easily sharing files. According to information on the official website, the HTTP File Server software has been downloaded about 2 million times. Description: When a specific URL is visited, HFS displays a non-existent account name in the response body. This non-existent account name can be HTML code, allowing a remote attacker to use this to launch XSS attacks. Because the HTML code is also recognized by the web server as a HFS HTML template, it is also possible to inject symbols to force HFS to reveal details about the server (eg, current HFS server version, build, connections, timestamp, uptime, current outbound and inbound speed, and more). Technical details are included below. Serial Numbers On Baldwin Pianos.