rejetto forum

Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.


Messages - Mars

Pages: 1 2 3 4 ... 135
16
Everything else / Re: Let things calm down
« on: April 29, 2022, 08:12:00 PM »
The problem is that when the address of a target is known to a hacker, there is little chance that it will not be tested. From Rom_1983's point of view, nothing accuses you, but given the suspicion that you are under surveillance, it suggests that these attacks are indirectly linked to your Python scripts.The problem is that when the address of a target is known to a hacker, there is little chance that it will not be tested. From Rom_1983's point of view, nothing accuses you, but given the suspicion that you are under surveillance, it suggests that these attacks can be indirectly linked to your Python scripts.

It should also be remembered that all messages with their content containing links to personal sites are visible to any visitor who is not logged in, so do not be surprised to be potentially the victim of unwanted visits.

If we hear most often about big brother and its eavesdropping through the NSA, we should not forget that other major countries are not behind in this area either and are increasingly trying to manipulate the opinion, it is therefore logical to remain suspicious of them as long as it is not possible to verify the information by means of sources not subject to the directives of these governments








18
HFS ~ HTTP File Server / Re: Request login/password but accept any
« on: December 17, 2021, 05:00:45 PM »
From memory I don't think that's possible, unless you create a form yourself to manage the identification, under the conditions you want, you just need to redirect to the resource (possibly hidden) including the login and password assigned to him

19
Bug reports / Re: Possible vulnerability
« on: December 11, 2021, 09:46:00 PM »
if you are using one of the latest versions the remote use of macros by a user using a url is automatically detected and made harmless.
https://rejetto.com/forum/index.php?topic=11758.msg1061386#msg1061386

the other vulnerability exploit that was resolved quickly was the null byte injection
https://rejetto.com/forum/index.php?topic=11619.msg1064421#msg1064421

I can no longer remember where and in what way these two types of attack are detected in the sources of hfs but it is certain that if your version is up to date there is no more risk when a remote user performs such attempts

20
it may depend on several factors:
1) make sure that the mobile phone is well connected in wifi on the local network and not on the 3G-4G-5G network, otherwise it is necessary to set up an external routing
2) with HFS in standard mode, the phone browser must be able to display the home page, if necessary try another browser
3) in all circumstances, in the event of problems, use the IP address of the computer on the local network as the connection url and not the DNS name used for external connections

21
HTML & templates / Re: About "hits"
« on: October 17, 2021, 12:56:00 AM »
attach your hfs.tpl in a new post

22
Bug reports / Re: False errors on upload
« on: September 17, 2021, 11:15:34 PM »
Appears for one of the following reasons:

when sending each file with the method that was used for it
- the logged in user does not have write rights to upload file in the folder
- the user and the password used do not correspond to a registered account values

23
Everything else / Re: I can't change the website to English.
« on: August 03, 2021, 11:22:27 PM »
just indicate the country in the paypal url before /home as in the examples below

https://www.paypal.com/uk/home

https://www.paypal.com/it/home

https://www.paypal.com/de/home

https://www.paypal.com/es/home

24
HFS ~ HTTP File Server / Re: "username not found"
« on: May 11, 2021, 02:40:22 PM »
"user/password for each folder"  is an old protection technique implemented during the first versions of HFS, it is preferable to use as much as possible the use of accounts

25
if only one particular ip should be able to access the folder, add something similar in the diff template of the folder properties

either by using a forced disconnection
Code: [Select]
[+]
{.if|{.=|%ip%|127.0.0.1.}|{:{.disconnect.}:}.}

or even better by using a redirect which gives the user the impression of an invalid link

Code: [Select]
[+]
{.if|{.=|%ip%|127.0.0.1.}|{:{.redirect|../ .}:}.}


replace 127.0.0.1 by the allowed ip


a more concrete example is to only give access to a specific user without going through permissions

Code: [Select]
[+]
{.if|{.!=|%user%|Tsuna.}|{:{.redirect|../ .}:}.}


note the difference in use between  {.!=|    and  {.=|  , difference or equal usage

26
Programmers corner / Re: Template/events for QOS or traffic shaping.
« on: April 28, 2021, 05:43:39 PM »
Are there some per ip-specific measurements?

no

How to make global variable apply to only 1 ip? 

a variable is defined by its name which can include letters or numbers and preceded by # to become a global variable
just include %ip% in the name

{.set|#flag_%ip%| ....   .}

global variables only exist while hfs is running


27
Programmers corner / Re: Template/events for QOS or traffic shaping.
« on: April 13, 2021, 11:41:19 AM »
you must analyze the url which is sent by the path variable and check its validity by eliminating the non-existent parts or use a fallback url like the use with newurl in the following

[not found]
{set|newurl|/.}
{.add header|Cache-Control: no-cache, max-age=0.}
{.redirect|/~404?path={.if|{.exists|%url%.}|{:{.encodeuri|{.filepath|%url%.}.}:}|{:{.^newurl.}:}.}.}

the problem is that in section 404, the url is not that of the containing directory but that of the requested file "return to previous page" does not correspond to% url% as for [max contemp downloads]

use macro {. add to log | ..what you need to see.. .} in various places to control the transmitted data and more easily determine why you are having inconsistencies in the operation of your scripts

28
Programmers corner / Re: Template/events for QOS or traffic shaping.
« on: April 05, 2021, 08:42:24 PM »
{.set | #frompath | %encoded-folder%.} cannot work because [max contemp downloads] is served as a new page from root and at this point the session is no longer the original page then %encoded- folder% returns / because some %var% are not defined, on the other hand I came across %url% which is the link of the loaded file that allows to deduce the original path

you can either use a global variable but which risks being changed by another user in the same situation or an url variable which will be valid only for the right recipient

Code: [Select]
[max contemp downloads]
{.add header|Cache-Control: no-cache, max-age=0.}
{.set|#frompath|{.encodeuri|%url%.}.}
{.redirect|/~server%20is%20busy?path={.encodeuri|{.filepath|%url%.}.}.}

[server is busy|public]
{.set|backpath|{.decodeuri|{.urlvar|path.}.}.}
<!DOCTYPE html><html>
<head>
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1">
<META HTTP-EQUIV="Refresh" CONTENT="3;URL={.^backpath.}">
<TITLE>Busy</TITLE>
<link rel="icon" href="data:,"></head>
<body bgcolor="black" text="white" alink="white" link="white" vlink="white"><center><h2><br>Server is busy.</h2>Returning to previous page...</center>
</body></html>

29
Programmers corner / Re: Template/events for QOS or traffic shaping.
« on: April 05, 2021, 01:46:53 PM »
is this correct?   {.set|%encoded-folder%|#frompath.}

always  set | #variable | value

this variable will be initiated for all connections, if you plan to use it in an event, you should associate the ip and the name of the user to it in order to target the event

{.set|#frompath|%encoded-folder%;%ip%;%user%;.}

and separate the different fields in the event zone or the section considered
it may seem like a long process, but there is no simplified macro to do this kind of manipulation

this is an example you can verify in menu  > debug > run script

Quote
{.set|#frompath|http://127.0.0.1/test;127.0.0.255;MyName;Private message to the user;/set.}
Start = "{.^#frompath.}"

{.comment|Use script only frome here.}

{.set|frompath|{.substring||;|{.^#frompath.}/substring.}/set.}
frompath = "{.^frompath.}"

{.set|#frompath|{.replace|{.^frompath.};||{.^#frompath.}/replace.}/set.}
{.set|ip|{.substring||;|{.^#frompath.}/substring.}/set.}
ip = "{.^ip.}"

{.set|#frompath|{.replace|{.^ip.};||{.^#frompath.}/replace.}/set.}
{.set|user|{.substring||;|{.^#frompath.}/substring.}/set.}
user = "{.^user.}"

{.set|#frompath|{.replace|{.^user.};||{.^#frompath.}/replace.}/set.}
{.set|reply|{.substring||;|{.^#frompath.}/substring.}/set.}
reply = "{.^reply.}"

{.set|#frompath|{.replace|{.^reply.};||{.^#frompath.}/replace.}/set.}
Final = "{.^#frompath.}"

result give
 
Quote
Start = "http://127.0.0.1/test;127.0.0.255;MyName;Private message to the user;"

frompath = "http://127.0.0.1/test"
ip = "127.0.0.255"
user = "MyName"
reply = "Private message to the user"

Final = ""

everything is based only on the manipulation of the chains

another form of use if the number of elements is not known in advance

Quote
{.set|sep|;.}
{.set|#frompath|http://127.0.0.1/test{.^sep.}127.0.0.255{.^sep.}MyName{.^sep.}Private message to the user{.^sep.}/set.}

Start = "{.^#frompath.}"
{.set|tot|{.count substring|{.^sep.}|{.^#frompath.}.}/set.}
{.set|#nb|{.^tot.}.}

{.while| #nb | {:
{.set|tab[{.^#nb.}]|{.substring||{.^sep.}|{.^#frompath.}/substring.}/set.} {.set|#frompath|{.replace|{.^tab[{.^#nb.}].}{.^sep.}||{.^#frompath.}/replace.}/set.} {.dec|#nb.}
:}/while.}
total items = {.^tot.}
{.for|x|{.^tot.}|1|-1|{:
tab[{.^x.}] = {.^tab[{.^x.}].}:}/for.}

Quote
Start = "http://127.0.0.1/test;127.0.0.255;MyName;Private message to the user;"
 
total items = 4

tab[4] = http://127.0.0.1/test
tab[3] = 127.0.0.255
tab[2] = MyName
tab[1] = Private message to the user

or to have it in the real order

Quote
{.set|sep|;.}
{.set|#frompath|http://127.0.0.1/test{.^sep.}127.0.0.255{.^sep.}MyName{.^sep.}Private message to the user{.^sep.}/set.}
Start = "{.^#frompath.}"
{.set|tot|{.count substring|{.^sep.}|{.^#frompath.}.}/set.}
{.set|#nb|{.^tot.}.}
{.while| #nb | {:
{.set|idx|{.calc|{.^tot.}-{.^#nb.}+1.}/set.}
{.set|tab[{.^idx.}]|{.substring||{.^sep.}|{.^#frompath.}/substring.}/set.}
{.set|#frompath|{.replace|{.^tab[{.^idx.}].}{.^sep.}||{.^#frompath.}/replace.}/set.}
{.dec|#nb.}
:}/while.}
total items = {.^tot.}
{.for|x|1|{.^tot.}|{:
tab[{.^x.}] = {.^tab[{.^x.}].}:}/for.}

Quote
Start = "http://127.0.0.1/test;127.0.0.255;MyName;Private message to the user;"

total items = 4

tab[1] = http://127.0.0.1/test
tab[2] = 127.0.0.255
tab[3] = MyName
tab[4] = Private message to the user
tab [ x ] is not a real array but a series of variables with different names "tab" + "[" + x + "]"

30
Programmers corner / Re: Template/events for QOS or traffic shaping.
« on: April 03, 2021, 01:40:03 PM »
under normal conditions if a download is interrupted the server sends the client a response with Not served: 503 - Overload, this is what should be reproduced instead of performing a sudden disconnection, perhaps a special section with a macro add header, I don't know more, on the other hand there is an event [download] but I don't know how to manage it
you have to look at the list of working variables even if it means creating variables {.set | # var1.} in the sections of the template to reuse them in the event as {. ^ var1.}

Pages: 1 2 3 4 ... 135