rejetto forum

Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.


Messages - Mars

Pages: 1 2 3 ... 135
1
HFS ~ HTTP File Server / Re: Warning: HFS v2.x has a severe vulnerability
« on: January 09, 2025, 12:46:12 PM »
what is missing it´s a swtich of templates as exist when we use a computer or smartphones for example, but in this case it´s more simple to have two versions of hfs and run only the one with macros or not ;D

2
HFS ~ HTTP File Server / Re: Warning: HFS v2.x has a severe vulnerability
« on: January 08, 2025, 01:08:21 PM »
In the face of all these hacking possibilities, it is up to the fact that hfs is running on a virtual machine in a restricted environment. ;D

HFS is of an old design, no matter how much we try to plug the holes, but we'll never be safe from further leaks.
it is always possible to use version 2.2f which makes it possible to distribute content as one looks at a film,

otherwise we use a version with macros, which allows a certain interactivity, but it's like with games, there's always some that will always try to cheat to win not much except forge in the idea that they beat the designer in his efforts to make his product inviolable. It's a racing game where we can quickly make mistakes that make us lose the race.

the race here is that of inventiveness that will give the one who will be the most clever to supplant the other by cutting off the grass under his foot, like a chess player it is not because we lose coins or even the queen that we are on the ground as long as failure and matte is not announced 8) 8)

3
HFS ~ HTTP File Server / Re: Warning: HFS v2.x has a severe vulnerability
« on: January 07, 2025, 01:30:08 AM »
@Rapid

With a download size of 0 bits, your HFS breaks all compression records  ;D ;D ;D

4
HFS ~ HTTP File Server / Re: Warning: HFS v2.x has a severe vulnerability
« on: January 03, 2025, 11:31:41 PM »

Since there are still a fans of hfs 2.3m build 300, and who are concerned about the risk of being hackered with the EXEC macro, the simplest at the moment is to allow a deactivation of this macro which is only rarely used and in very specific cases,

the solution envisaged to limit the number of accessible external programs that would be included in a reduced list is not possible at the moment as long as an effective filtering is not possible for the moment to be possible.


This is an ephemeral link on a version  compressed with upx, wich has not be endorsed by rejetto, but because of my previous participation in the project I can afford it without waiting ;)
 it integrates a button in the toolbar to activate the use of the macro exec.
HFS 2.3m build 305

the macro is systematically in OFF mode as soon as the server is started up or at each change of state of the latter.

the macro is automatically deactivated when the display is switched to EASY mode, and the button is inoperative.

when the conditions are met, it is possible to activate the use of the EXEC macro for a period of 30 seconds, this value can be modified by right-clicking on the button,

any change to a value other than that displayed on the opening of the message causes the timer to stop, so it is necessary to reactivate the button.

As a measure of simplicity, a zero value inhibits the timer and the button becomes a simple state flip-flop, otherwise it behaves like a timer.

5
HFS ~ HTTP File Server / Re: Warning: HFS v2.x has a severe vulnerability
« on: October 06, 2024, 06:10:59 PM »
Hello to both of you, even if I am not involved in HFS3 which for me represents a completely different project from HFS2.x, I keep an eye on the possible changes to be made to the latter.

With some similar approaches I did not arrive at a satisfactory result, there are indeed not only the urlvars to control but also the recursion of the attack used by using %url%, it is also necessary to take into account the postvars and as said rejecto the attacks by headers

I looked into a more restrictive use of the EXE macro, by limiting the programs to launch to those contained exclusively in a subdirectory of HFS, but I do not manage the %url% in the state in loop

Quote
  procedure exec_();
  var
    s: string;
    code: cardinal;
  begin

  if not fileExists(exepath+'exec\'+extractFileName(macroDequote(p))) then
    begin
      pars.clear();
      result:='';
      mainfrm.add2log('DISCONNECTED'+CRLF+exepath+'exec\'+extractFileName(macroDequote(p)));
      disconnect();
      exit;
    end;

  s:=macroDequote(par(1));
  if fileOrDirExists(s) then
    s:=quoteIfAnyChar(' ', s)
  else
    if unnamedPars < 2 then
      s:='';
  if parExist(['out']) or parExist(['timeout']) or parExist(['exit code']) then
    try
      spaceIf(captureExec(macroDequote(p)+nonEmptyConcat(' ', s), s, code, parF('timeout',2)));
      try setVar(parEx('exit code'), intToStr(code)) except end;
      setVar(parEx('out'), s);
    except end
  else
    spaceIf(exec(macroDequote(p), s))
  end; // exec_

put the file calc.exe (to test) inside a new exec\ subdir and use macro {.exec|calc.exe.} ,  bad syntax without extension  {.exec|calc.} is stopped

This is a safe and absolute start for those who do not leave an executable in the exec\ directory.

What a hacker doesn't know about available resources is an obstacle to hacking.

6
Everything else / Re: Message to Rejetto: forum's email is broken
« on: August 05, 2024, 11:19:54 PM »

works as expected, bots will be able to have fun again

 :o

8
HFS ~ HTTP File Server / Re: HFS including SSl tools
« on: January 15, 2024, 09:13:31 PM »
Unless you are on 32-bit Windows, you can replace stunnel included in hfs with the latest 64 bits version available for loading there

https://www.stunnel.org/downloads.html

9
HFS versions 2.3 and 2.4 will no longer evolve, the VFS recording format cannot be modified in order to maintain compatibility between these versions

a new HFS 3.0 development has been implemented by rejecto by following this link
https://rejetto.com/forum/index.php?board=46.0

10
your HFS works correctly, access via your external IP is viable, I was able to verify it by using it directly 

rather than using the DNS address from your smartphone, carry out the manipulation using the external IP that your HFS can obtain from Menu->Ip address->Find external address

Don't give your IP here, rejetto and I already have it in your profile

11
This is the only method that comes to mind, and I hope that it will solve your problem of loss of VFS  ;)

switch to expert mode (key F5)
select Menu>Save options to file,  and activate  Menu>Auto-save Options

in Menu>Virtual File System , choice Backup on Save   and  Autosave every: enter 900 (= every 15mn) or more

Menu>Others options> Edit Event Script... (ALT+F6)

put this content in hfs.events and save it in the hfs.exe folder
Code: [Select]
[server start]
{.if|{.{.filesize|hfs.vfs.}<255.}|
{:{.add to log|Empty VFS detected.}
  {.if|{.exists|hfs.vfs.bak.}|
{:{.add to log| VFS backup found.}
  {.delete|hfs.vfs.}
  {.copy|hfs.vfs.bak|hfs.vfs.}
  {.add to log| previous VFS restored and loaded.}
:}|{:{.add to log| VFS backup not found.}:}
/if.}:}
|{:{.add to log|VFS seems good.}:}
/if.}

this script tests if the size of the vfs is less than a certain value (255 to be reduced if necessary) and in this case restores the backup, every time  the server is SWITCHING ON ( not possible only when hfs is launched), allowing a functional VFS to be found

verify  in windows registry if not exist those keys  else delete them
HKEY_CURRENT_USER\Software\rejetto  and  HKEY_LOCAL_MACHINE\Software\rejetto

12
HFS ~ HTTP File Server / Re: HFS including SSl tools
« on: March 16, 2023, 10:31:21 PM »
No there will be no new version beyond the one already available in 2.x
a new project supporting https is already available in this topic
https://rejetto.com/forum/index.php?topic=13506.msg1067143#msg1067143

13
Bug reports / Re: False errors on upload
« on: January 26, 2023, 10:15:57 PM »
so it looks like this folder is visible in the VFS, since you changed the access properties there

try to go to the diff template tab and you can place a customization of the upload results there by adding this section

Code: [Select]
[+upload-success]
{.add to log|{.filename|%item-resource%.}=uploaded by {.if|{.length|%user%.}|%user%|Anonymous /if.}./add to log.}

14
HFS ~ HTTP File Server / Re: Rejetto HFS file server alternative?
« on: November 15, 2022, 03:44:12 PM »
Why shouldn't you wake a sleeping cat?
Cats who are deprived of these stages of sleep can become lethargic or irritable, it is therefore better to avoid waking them up as much as possible

and I must say that taking care of an awakened Fysack is not easy  ;D ;D ;D

15
Programmers corner / Re: Only one thing that wasn't released about HFS...
« on: October 25, 2022, 07:23:04 PM »
the procedure to reproduce in php seems to be the following

php receives a request from hfs in this format

Code: [Select]
http://hfstest.rejetto.com/?port={external_port}&host={external_ip|dns_name}&natted={no|yes}this should generate a new request using a second channel  from php to hfs on the url of the form

Code: [Select]
http://%host%:%port%/test
if hfs is indeed accessible from the web with this url then it sends as response to php the text 'HFS OK'

from then on the php returns a text by the first channel with '1' as the correct functioning response, otherwise an empty string in the event of an error


*************************************

technically it is possible to simulate this exchange using two hfs sessions and forcing a redirection from hfstest.rejetto.com to a local ip in the windows 'hosts' file by adding this line

127.0.0.1 hfstest.rejetto.com

the server must appear as the php must be launched to listen to it on port 80 and active on 'Any Address'

in the root put  as diff template
[]
1


launch another session of hfs listening on any port other than 80, then launch the "self test", the response obtained will be positively successful

you can also perform this experiment by replacing the localhost address with the local ip (192.168.1.xxx)

If we also use the 'self test' of the hfs of port 80 as a self test, the response will also be positive with 127.0.0.1 , but no response with 192.168.1.xxx

Pages: 1 2 3 ... 135