rejetto forum
Software => HFS ~ HTTP File Server => Topic started by: rejetto on August 24, 2014, 07:16:56 PM
-
download @ http://www.rejetto.com/hfs/download
what's new
Security fixes
In details:
- fixed default template for serious security flaws
- fixed possible discovery of server paths
- fixed "bind root to real folder"
- fixed {.load tpl.} not applying to some pages http://www.rejetto.com/forum/html-templates/multiple-templates-based-on-browser/msg1058862/#msg1058862
- fixed {.filename.} and {.filepath.} to work with backslashes
-
BE CAREFUL: everyone who customized the default template the raw way, by editing it, aren't safe even updating.
The security problems were in the template, so you need to use the updated one.
When you edit the template, you stop getting updates.
The correct way to make changes is to use the diff template feature, so to apply changes but leaving the original template untouched.
If you are not sure, reset your template and redo the changes you need: better safe than sorry.
-
can you post the new hfs.tpl file for download?
NVM:
see attach
-
Check this ;) it's a kind of help anyway
https://www.youtube.com/watch?v=lKPrLTpAatw&feature=youtu.be
-
Lolz.. Really!...
:)
well, rejeto, i thnk it time to :
Code-Lock:
http://download.cnet.com/Code-Lock/3000-2216_4-10071448.html
-----
Actualy its quite intresting code behind it...
assumed to be using net frame work debug utilites.../ python code he created...
Startes by opening hfs framwork terminal...
opening up the faramwork side on the hfs program. Ie the console temial that runs the hfs code..:
using comands:
Eith scripted progams he created/and or farmework debnug code to enter into and use:
In a python code terminal window:
use frmwrk/froesencisc/stoplog
Supplying the "ip adress of the machine runnign hfs
and Port http is running on
---to stop loggin...(so you can't track it back down...---
use frmwrk/exploits/deface
Supplying the "ip adress of the machine runnign hfs
and Port http is running on
THen the texzt info ie the name...
--THen to deface its http side and replace it with a new out goin text page..
with an overline...
(using secondary scripts)- unknown
----
-
I think it's time to take a better look ;) it's becoming a really bad exploit http://youtu.be/1vV2V7ePxp8
-
bmartino1 i appreciate your effort in doing this but you're totally wrong there's no hfs framework nor hfs terminal , the framework you saw is an exploitation framework made by me with all useful stuff and scripting calling convention is just my preference everything you saw in video is self made i never looked into hfs source I don't need it...
-
Daniele at first i thought you was going to help.
I'm sorry to disappoint you, but i don't have time for this game. I made HFS when i was a student. Now I work all day and barely find the time to shop for milk and bread. Only 1% of my time is programming on HFS, the rest is giving support, helping the users.
I already did my best in the little time i snatched last weekend. That's it. Good luck.
-
I think he wants to build a reputation as hacker, so in that case, he should be sending the exploit to exploit-db.com. If he doesn't upload the exploit there, it means this is all a fake and this exploit it doesn't really exists. Period.
-
Hi! boss!
Good news... good release! ;)
But I don't find 2.3b Build #290 sources code. :'(
-
Sorry, I need to update my automatic publication procedure so to push sources as well.
I hope to do it soon but these days are harder, since a person left the office 2 months ago, i inherited his workload and we didn't find another yet.
-
But I don't find 2.3b Build #290 sources code. :'(
That's right, thanks for bring it up. I didn't say anything before, to not bother him. :-[ But it's true, in the 'Download' section, it links to 'hfs2.3b_290.src.zip' in SourceForge.net, but there aren't any file for v2.3b Build #290.
Sorry, I need to update my automatic publication procedure so to push sources as well. I hope to do it soon but these days are harder, since a person left the office 2 months ago, i inherited his workload and we didn't find another yet.
I do understand you, there is not hurry. ;) I think you can at least upload your sources, directly to melauto.it or webfactional.com hosts (the same hosting you use for your executables), instead of using sourceforge.net at all. May be it's easier to you. I'm just thinking out loud...
Anyway, I wish you all the best Rejetto, you are doing a great job, even when some people don't want to collaborate (**cough**daniele*cough**)....
-
Sai qual'è il fatto..ho visto almeno 10 post che parlano di strani comportamenti ma nessuno si è fermato a capire il perché di questi comportamenti.
-
Non so a che ti riferisci. Me ne linki uno per capire?
-
rejetto ascoltami se tu dai una mano a me io do una mano a te vorrei fai diventare la vulnerabilità un cve ma serve il tuo consenso una volta rilasciata ti spiego come fixarla
-
come posso aiutarti?
-
E' molto semplice io ho fatto una richesta per avere un cve id univoco , dal momento che tu non l'hai mai chiesto per il tuo programma in quanto non usi bugtraq , loro hanno bisogno di verificare l'id col tuo prodotto quindi ad un certo punto ti metterò in copia nelle mail e dovrai semplicemente confermare la richesta dell'id dicendo che ti ho comunicato la vulnerabilità , ovviamente prima di renderla public ti aiuterò a fixarla.Una volta ricevuto l'id ci sarà un ente certificatore che esaminerà la vulnerabilità per renderla elegibile se mi va bene la pubblicano, io guadagno un CVE a mio nome e tu una vulnerabilità in meno in oltre tutti gli utenti ne verranno a conoscenza essendo public e certificata e faranno l'upgrade del tuo prodotto.
Fammi sapere se ti sta bene
-
Non c'è problema.
Comunque non è la prima volta che viene trovata una vulnerabilità da persone che si occupano di sicurezza. Ricordo ancora Luigi Auriemma. Ci sono già dei CVE su HFS, e immagino tu lo sappia. Non immaginavo avessi bisogno della mia collaborazione per il filing, ma non conosco queste cose quindi fai tu.
Vorrei essere chiaro al riguardo: a me fa piacere che tu abbia trovato il buco. Preferisco la sicurezza derivata dall'attenzione che dall'ignoranza. In generale ringrazio chiunque dedichi del tempo per segnalarmi bug, di qualsiasi natura.
La mia email è a@rejetto.com
-
I'm highly dissatisfied with this update, because I already know a lot of people will just keep their custom version of the default template ignoring the security problem.
Just to be clear: despite not having fixed the problem Daniele has found, version 2.3b truly fixes some other serious problems.
I published it knowing a lot of people have such a configuration that will ignore the fix, keeping the problem.
This truly annoys me but I couldn't work enough to get a better solution.
I still want to help spreading the cure, so I want to publish soon a revision that will inject the solution inside customized templates.
This could potentially break some customizations, but... better safe than sorry.
-
me and xpl01t are collaborating and version 2.3c will include the fix for the other security problem.
-
I'm guessing that these exploits also apply to anyone using templates other than the default, like RAWR and such? :(
-
These exploits can be applied to any 2.3x server and they are considered "level critical" an important patch will come soon