rejetto forum
Software => HFS ~ HTTP File Server => FHFS => Topic started by: LeoNeeson on August 29, 2016, 04:24:09 AM
-
@Raybob: Is there going to be any update on this? Since in the HFS.ini of FHFS v2.1.3, the updates of the internal HFS (server.dll) are not automatic (update-automatically=no), it would be great to have an updated version with the last HFS v2.3i Build #297 (http://www.rejetto.com/forum/hfs-~-http-file-server/new-version-2-3i/) running out-of-the-box. There are many users out there who are still using FHFS with a built-in outdated HFS v2.3d Build #292. And since there was a VERY important security update in this last version, many users may be exposed to hackers, like recently happened here (http://www.rejetto.com/forum/fhfs/all-users-suddenly-missing!/). I understand that having the automatic updates disabled is to ensure everything keeps working/compatible with the rest of the FHFS code. I also understand that you may not want (or have the time) to be updating FHFS every time a new version of HFS is out, but this time is critical to have an update (since it fixed a "Remote Command Execution" exploit).
-
i agree that it should be "recompiled", but you can replce hfs.exe with the updated one and all will work...
install fhfs, download current hfs, open install directory, replace hfs.exe file....
etc..etc...
Last i knew, raybob was working on another project, he emailed me and i looked into it, but i was not able to program or do much with it.
i forget the projects name....
looking at my old mesage:
Andromeda -fhfs 3.0
http://www.rejetto.com/forum/fhfs/fhfs-is-being-superceded-by-new-software-looking-for-developers/msg1059286/?topicseen#msg1059286
so idk the status of his tiem or other...
i don't think fhfs 2.0 will be geting recomplied...
-
i agree that it should be "recompiled", but you can replce hfs.exe with the updated one and all will work...
Yes, I know that, but every user who downloads FHFS from SourceForge, would be exposed to vulnerabilities, if doesn't know he should update HFS. I was talking for helping those users, not for me. :-\
i don't think fhfs 2.0 will be geting recomplied...
It doesn't need to be recompiled. Is just as simple as updating the current ZIP file of FHFS v2.1.3, with the latest version of the HFS.exe file (server.dll). Then, rename and upload the updated ZIP file as a new version (FHFS v2.1.4) to SourceForge.
Well, I'm just saying... If it can't be done, it's OK.
It was only a suggestion, not a request.
-
Correct me if I'm wrong but I was under the impression that the security vulnerabilities in HfS were due to its template and not the executable itself. If that's the case then FHFS is not affected since it uses its own templates.
-
I'm afraid not. It's CVE-2014-6287 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6287) (you can check this vulnerability report, here (https://www.exploit-db.com/exploits/34668/)). The vulnerability it's related to the internal HFS search function, so, it's not related to templates at all. But Rejetto will have the final word and confirmation on this.
-
I tried updating all the binaries with FHFS and immediately there was a new bug with logging in. Apparently HFS now doesn't let you add more than one cookie per request unless you use ; to separate them. I don't have the time to spend debugging and troubleshooting and updating this project, and unfortunately it's just old and probably more insecure than I can fix. So, I've removed the Sourceforge pages and I'm calling it officially discontinued. Anyone who really wants source code or to download it can message me here.
-
Anyone who really wants source code or to download it can message me here.
I've sent you a message. ;)
-
if you pass by Roma, don't forget to write me and we'll have a coffee together :)
-
if you pass by Roma, don't forget to write me and we'll have a coffee together :)
I guess this message was intended to raybob, but if it was to me, sure, not problem, thanks for the invitation. I hope to visit Italy some day in the future. 8)
-
I noticed that the sourceforge pages no longer exist.. how can somebody get a copy of FHFS just to play with it?
-
I noticed that the sourceforge pages no longer exist.. how can somebody get a copy of FHFS just to play with it?
well, i thought they were still here:
http://www.rejetto.com/forum/fhfs/version-2-0-0-release-download/msg1060565/#msg1060565
but i'm wrong... i will see if i still have a download
my downloads are gone for it, and i'm not finding a older source, if another uses still has the download and feels like sharing it
https://web.archive.org/web/20160923113615/https://sourceforge.net/projects/fhfs/files/2.1.x/2.1.3/
https://forum.filezilla-project.org/viewtopic.php?t=22427
lloks like the last know page was recorded the 23 of sep, you could petition Sourceforge via email support to get it back...
-
Maybe I'll upload FHFS to github or something. I didn't want it on sourceforge because it gave the impression that it was a solid finished product and while it once was, I haven't maintained it in a while. Plus, Sourceforge was flagging it as infected due to HFS which was annoying :/
Anyone that really wants to download FHFS in the meantime can go here
https://1drv.ms/f/s!AvtYl4Gpzql2ozMaB8_L4BNzf_HH
-
I guess this message was intended to raybob, but if it was to me, sure, not problem, thanks for the invitation. I hope to visit Italy some day in the future. 8)
i honestly don't remember who was that for, but it's valid for you too Leo, and any other longtimer :)