Description
hfaxd in HylaFAX before 4.2.1, when installed with a "weak" hosts.hfaxd file, allows remote attackers to authenticate and bypass intended access restrictions via a crafted (1) username or (2) hostname that satisfies a regular expression that is matched against a hosts.hfaxd entry without a password.
Product(s):
- Hylafax 4.1.1
- Hylafax 4.1.2
- Hylafax 4.1.3
- Hylafax 4.1.5
- Hylafax 4.1.6
- Hylafax 4.1.7
- Hylafax 4.1.8
- Hylafax 4.1 Beta 1
- HylaFAX 4.1 Beta 2
- HylaFAX 4.1 Beta 3
- HylaFAX 4.2.0
Question to Ask Vendors:
- Can you confirm whether your systems are affected by CVE-2004-1182, and if so, what steps are you currently taking to mitigate this vulnerability?
- What is your estimated timeline for fully resolving CVE-2004-1182 in your products or services, and how will you communicate updates on this issue to us as your customer?
Recommended Actions:
- Check out the advisory links provided below.