1
HFS ~ HTTP File Server / Re: Warning: HFS v2.x has a severe vulnerability
« Last post by sergio on October 09, 2024, 05:46:19 PM »Thank you very much for the clarification. I hope it can be resolved soon.
But if hfs is under cloudflare, does the vulnerability continue?Yes, the vulnerability continues, and it could put at risk the PC (server) where HFS2 (v2.x) runs. Running it under Cloudflare somewhat makes the server more hidden (harder to be scanned by hackers), but once it's discovered and targeted by a hacker, he could run or install any program (malware or anything). Unless you run HFS2 on a VPS (or somewhere you don't have anything valuable), and you can recover your data in case of problems, you should think on updating to HFS3 (or take the risk and wait until we release an unofficial version of HFS2 with this vulnerability fixed). We are closer to find a solution to this, but the decision of waiting or updating is yours. Keep in mind that HFS3 is a completely different software (written from scratch) and its configuration is not compatible with HFS2, so you should have to configure everything again, but HFS3 is the currently recommended choice. If you have any questions about HFS3, please ask on the place dedicated to it (here), to avoid this thread going off-topic.
procedure exec_();
var
s: string;
code: cardinal;
begin
if not fileExists(exepath+'exec\'+extractFileName(macroDequote(p))) then
begin
pars.clear();
result:='';
mainfrm.add2log('DISCONNECTED'+CRLF+exepath+'exec\'+extractFileName(macroDequote(p)));
disconnect();
exit;
end;
s:=macroDequote(par(1));
if fileOrDirExists(s) then
s:=quoteIfAnyChar(' ', s)
else
if unnamedPars < 2 then
s:='';
if parExist(['out']) or parExist(['timeout']) or parExist(['exit code']) then
try
spaceIf(captureExec(macroDequote(p)+nonEmptyConcat(' ', s), s, code, parF('timeout',2)));
try setVar(parEx('exit code'), intToStr(code)) except end;
setVar(parEx('out'), s);
except end
else
spaceIf(exec(macroDequote(p), s))
end; // exec_
that's great, congratulations with your achievement, Leo!Thanks, it means a lot that you like it, I appreciate it. To me, it's like an exercise to dip my toes on Delphi, although there is still a long way to go...
you prefer 2.3 over 2.4 ?Not really, some parts of it only (2.4 has huge improvements), but mainly I'm using 2.3 in my tests because it is much easier for me to build it (using TD2006). And since it was the latest stable version published, it was the version I've used it as example.
Is the url the only way to use the vulnerability? Even if the POC of the CVE uses the url, be sure to consider the possibility of the attack coming from a header.Yes, I know what you mean ('Host' header is not covered, for example), that's why I'm not completely happy with my 'single line' fix (although it works). That's why I'm testing a completely new fix (instead the previous code). See...
runEventScript('pre-filter-request');
// Check macro leaks, prevent hack attempts
if anyMacroMarkerIn(conn.request.full) then
begin
data.disconnectReason:='Hack attempt blocked. This event has been logged!';
add2log('Hack attempt blocked: '+ansiToUTF8(conn.request.url));
getPage('deny', data);
conn.reply.mode:=HRM_BAD_REQUEST;
exit;
end;
url:=conn.request.url; // The next line is a fix for CVE-2024-23692
if anyMacroMarkerIn(url) then url:=encodeURL(xtpl(url,['%','#']));
extractParams();
url:=decodeURL(url);