rejetto forum

Software => HFS ~ HTTP File Server => FHFS => Topic started by: LeoNeeson on August 29, 2016, 04:24:09 AM

Title: FHFS: Is there going to be any update on this?
Post by: LeoNeeson on August 29, 2016, 04:24:09 AM
@Raybob: Is there going to be any update on this? Since in the HFS.ini of FHFS v2.1.3, the updates of the internal HFS (server.dll) are not automatic (update-automatically=no), it would be great to have an updated version with the last HFS v2.3i Build #297 (http://www.rejetto.com/forum/hfs-~-http-file-server/new-version-2-3i/) running out-of-the-box. There are many users out there who are still using FHFS with a built-in outdated HFS v2.3d Build #292. And since there was a VERY important security update in this last version, many users may be exposed to hackers, like recently happened here (http://www.rejetto.com/forum/fhfs/all-users-suddenly-missing!/). I understand that having the automatic updates disabled is to ensure everything keeps working/compatible with the rest of the FHFS code. I also understand that you may not want (or have the time) to be updating FHFS every time a new version of HFS is out, but this time is critical to have an update (since it fixed a "Remote Command Execution" exploit).
Title: Re: Is there going to be any update on this?
Post by: bmartino1 on August 29, 2016, 10:48:55 PM
i agree that it should be "recompiled", but you can replce hfs.exe with the updated one and all will work...

install fhfs, download current hfs, open install directory, replace hfs.exe file....

etc..etc...

Last i knew, raybob was working on another project, he emailed me and i looked into it, but i was not able to program or do much with it.
i forget the projects name....

looking at my old mesage:
Andromeda -fhfs 3.0
http://www.rejetto.com/forum/fhfs/fhfs-is-being-superceded-by-new-software-looking-for-developers/msg1059286/?topicseen#msg1059286

so idk the status of his tiem or other...

i don't think fhfs 2.0 will be geting recomplied...
Title: Re: Is there going to be any update on this?
Post by: LeoNeeson on August 30, 2016, 06:04:52 AM
i agree that it should be "recompiled", but you can replce hfs.exe with the updated one and all will work...
Yes, I know that, but every user who downloads FHFS from SourceForge, would be exposed to vulnerabilities, if doesn't know he should update HFS. I was talking for helping those users, not for me. :-\

i don't think fhfs 2.0 will be geting recomplied...
It doesn't need to be recompiled. Is just as simple as updating the current ZIP file of FHFS v2.1.3, with the latest version of the HFS.exe file (server.dll). Then, rename and upload the updated ZIP file as a new version (FHFS v2.1.4) to SourceForge.

Well, I'm just saying... If it can't be done, it's OK.
It was only a suggestion, not a request.
Title: Re: Is there going to be any update on this?
Post by: raybob on September 02, 2016, 03:14:01 PM
Correct me if I'm wrong but I was under the impression that the security vulnerabilities in HfS were due to its template and not the executable itself.  If that's the case then FHFS is not affected since it uses its own templates.
Title: Re: Is there going to be any update on this?
Post by: LeoNeeson on September 04, 2016, 04:38:29 AM
I'm afraid not. It's CVE-2014-6287 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6287) (you can check this vulnerability report, here (https://www.exploit-db.com/exploits/34668/)). The vulnerability it's related to the internal HFS search function, so, it's not related to templates at all. But Rejetto will have the final word and confirmation on this.

Title: Re: Is there going to be any update on this?
Post by: raybob on September 04, 2016, 11:13:18 PM
I tried updating all the binaries with FHFS and immediately there was a new bug with logging in.  Apparently HFS now doesn't let you add more than one cookie per request unless you use ; to separate them.  I don't have the time to spend debugging and troubleshooting and updating this project, and unfortunately it's just old and probably more insecure than I can fix.  So, I've removed the Sourceforge pages and I'm calling it officially discontinued.  Anyone who really wants source code or to download it can message me here.
Title: Re: Is there going to be any update on this?
Post by: LeoNeeson on September 05, 2016, 05:15:02 AM
Anyone who really wants source code or to download it can message me here.
I've sent you a message. ;)
Title: Re: Is there going to be any update on this?
Post by: rejetto on September 18, 2016, 09:19:23 AM
if you pass by Roma, don't forget to write me and we'll have a coffee together :)
Title: Re: Is there going to be any update on this?
Post by: LeoNeeson on September 19, 2016, 06:55:51 AM
if you pass by Roma, don't forget to write me and we'll have a coffee together :)
I guess this message was intended to raybob, but if it was to me, sure, not problem, thanks for the invitation. I hope to visit Italy some day in the future. 8)
Title: Re: FHFS: Is there going to be any update on this?
Post by: jasonslan on September 27, 2016, 02:40:43 AM
I noticed that the sourceforge pages no longer exist.. how can somebody get a copy of FHFS just to play with it?
Title: Re: FHFS: Is there going to be any update on this?
Post by: bmartino1 on September 27, 2016, 06:25:17 AM
I noticed that the sourceforge pages no longer exist.. how can somebody get a copy of FHFS just to play with it?

well, i thought they were still here:
http://www.rejetto.com/forum/fhfs/version-2-0-0-release-download/msg1060565/#msg1060565

but i'm wrong... i will see if i still have a download
my downloads are gone for it, and i'm not finding a older source, if another uses still has the download and feels like sharing it
https://web.archive.org/web/20160923113615/https://sourceforge.net/projects/fhfs/files/2.1.x/2.1.3/

https://forum.filezilla-project.org/viewtopic.php?t=22427

lloks like the last know page was recorded the 23 of sep, you could petition Sourceforge via email support to get it back...
Title: Re: FHFS: Is there going to be any update on this?
Post by: raybob on September 30, 2016, 07:56:09 PM
Maybe I'll upload FHFS to github or something.  I didn't want it on sourceforge because it gave the impression that it was a solid finished product and while it once was, I haven't maintained it in a while.  Plus, Sourceforge was flagging it as infected due to HFS which was annoying :/

Anyone that really wants to download FHFS in the meantime can go here
https://1drv.ms/f/s!AvtYl4Gpzql2ozMaB8_L4BNzf_HH
Title: Re: FHFS: Is there going to be any update on this?
Post by: rejetto on July 15, 2017, 07:28:20 PM
I guess this message was intended to raybob, but if it was to me, sure, not problem, thanks for the invitation. I hope to visit Italy some day in the future. 8)

i honestly don't remember who was that for, but it's valid for you too Leo, and any other longtimer :)