Software > Bug reports

unimportant leaks through to error section

(1/4) > >>

danny:
If [error-page] is present, that content will be a response, to ban/disconnect/scanner
Next,
No matter if [error-page] section is present or not, contents of [overload] will be a response to banned/disconnect/scanner

This is unintentionally verbose/pingable. 

Also, if you do the hide-root thing, throwback14 is rigged not to leak at / but, if you ask for url/File, the overload section is the response even if you don't have a folder named file.   Apparently, /file has a special meaning and exists always. 

Here is a patch: 
Delete the [error-page] section (if any).  Throwback14 doesn't have it.
And also,
The [overload] section should start off with 3 filter macros: 
{.if|!%user%|{:{.if|{.%url% = /.}|{:{.disconnect.}:}.}:}.}{.if|!%user%|{:{.if|{.%url% = /file.}|{:{.disconnect.}:}.}:}.}{.if|!%user%|{:{.if|{.%url% = /File.}|{:{.disconnect.}:}.}:}.}
Does:  Don't send extra messages to strangers seeking /, /file, /File. 
Pseudocode:  If  stranger caused overload at / then disconnect; and, if  stranger caused overload at /file then disconnect; and, if stranger caused overload at /File then disconnect.

If there are more built-ins, then the filter which starts the [overload] section should be revised to:
{.if|!%user%|{:{.disconnect.}:}.}
Pseudocode:  Don't send overload message to strangers. 
I updated my home server to that, because I don't know how many built-ins there are (such as /file which exists always). 

The question is:
Should the security update be done at the template or at hfs.exe? 
If it was a good idea to put the security update into a template, then I'd need to ask a moderator to unlock the Throwback template thread. 

Severity:
Least Impact.  Almost none.  Hideroot style security effort is not expected to succeed on port80; and common scanners don't check every uncommon port to see if web servers respond to /file, because it is unfeasible to use a scanner in that way. 


In my opinion:
A template could not be fully effective at hideroot security efforts (not a total means of security, but it lasts until a change).  A template could do either least or more verbose response.  Only hfs.exe could do zero response.  Perhaps an option could be added for make no response to / nor to any folders which don't exist?  I'm glad that Throwback and Takeback have better inbuilt security than any other templates; however, I think it would be a bit more effective if the .exe did the job.  Again, the security-gap reported is least-impact (of least concern).  But, it could be improved.

LeoNeeson:
Thanks for the report. :) I think Throwback14 doesn't need to be updated, since it was a template meant for v2.3x. Most users are still using the last stable v2.3m, so, I think those who doesn't like the new changes will stay on that version. The new v2.4 has changed a lot of things, so, we like it or not, those changes are here to stay... :-X ::)

Anyway, I hope Rejetto could review your comment.
Cheers,
Leo.-

danny:

--- Quote from: LeoNeeson on June 10, 2020, 06:08:44 AM ---Thanks for the report. :) I think Throwback14 doesn't need to be updated, since it was a template meant for v2.3x. Most users are still using the last stable v2.3m, so, I think those who doesn't like the new changes will stay on that version. The new v2.4 has changed a lot of things, so, we like it or not, those changes are here to stay... :-X ::)

Anyway, I hope Rejetto could review your comment.
--- End quote ---
Thanks! 
I would like to see the update in the .exe because macros are not completely effective for silence.

rejetto:
hi, HFS 2.4 sadly won't be compatible with 2.3 templates.
The error-page behavior can be a consequence for an old template. If you didn't have [error-page] before you just need to put a line at the end of the tpl with just [error-page]
At the moment you cannot make a template that works on both, must make 2 versions.
I think i can easily introduce a way to have the same template specify that a section is for a specific version, so to have a single file.
We are collecting some rules about new templates at http://rejetto.com/forum/index.php?topic=13326.0


--- Quote ---No matter if [error-page] section is present or not, contents of [overload] will be a response to banned/disconnect/scanner

--- End quote ---

not to banned. For those there is [ban].
Now that I think of it, this [error-page] is a leftover of when we had no {.scripting.}.
Maybe we should dismiss it. I don't know if this is a good time.


--- Quote ---Should the security update be done at the template or at hfs.exe?
--- End quote ---

i guess you are talking about your script that disconnects if you are not logged in.
That behavior doesn't seem so universally desirable. There are many users with publicly accessible servers.
This other behavior can be packed in a *.diff.tpl file (new feature) and installed by those who want it.
And we should make a sort of repository/directory for these "plugins".


--- Quote from: danny on June 10, 2020, 08:40:07 AM ---I would like to see the update in the .exe because macros are not completely effective for silence.

--- End quote ---

can you tell me in what way they are less effective

Mars:
sugestion...

{.if|!%user%|{:{.if|{.%url% = /.}|{:{.disconnect.}:}.}:}.}{.if|!%user%|{:{.if|{.%url% = /file.}|{:{.disconnect.}:}.}:}.}{.if|!%user%|{:{.if|{.%url% = /File.}|{:{.disconnect.}:}.}:}.}

replaced by :

{.if|!%user%|{:{.if|{.match|^\/([Ff]ile(\/)?)?$|%url%.}|{:{.disconnect.}:}.}:}.}

can be tested at  https://regexr.com/ or https://regex101.com/tests

mask = ^\/([Ff]ile(\/)?)?$

working text
/
/file
/file/
/File
/File/






Navigation

[0] Message Index

[#] Next page

Go to full version