Recent Posts

1

HFS ~ HTTP File Server / Re: Warning: HFS v2.x has a severe vulnerability, Patched 2.3K

« Last post by danny on Yesterday at 10:06:03 PM »

Speedup: 
locate hfs23-K-patched2.zip and you can test it out. 
http://software.run.place
It is running that same copy of HFS2.3K, with the macros on.

Thanks to Leo for help in bypassing the limiters, for gigabit compatibility.
I also found work-multipliers and bypassed those. 

2

HFS ~ HTTP File Server / Re: Warning: HFS v2.x has a severe vulnerability, Patched 2.3K

« Last post by danny on July 09, 2025, 12:30:32 AM »

For patched version of HFS2.3K, I've added many layers of defense. . . and *Might have solved/reduced the gigabit freeze problem. 
http://software.run.place
locate hfs23-K-patched.zip and you can test it out. 
The site to download it, is running that same copy of HFS2.3K, with the macros on. 

3

HTML & templates / Re: Stripes, the template for simple and easy. Updated for security.

« Last post by danny on July 05, 2025, 08:25:59 AM »

There is a vulnerability in HFS 2.3 and 2.4 that allows remote code execution if 'macro' feature is on.  So...

Stripes 5 shuts off macros at first run, to secure.
Stripes 5 is designed to run without macros.
HFS 2.3 doesn't require macros for login.

4

HTML & templates / Re: The Throwback (retro) template. Updated. Security patch edition

« Last post by danny on July 05, 2025, 07:00:03 AM »

The new files are available at Post#1

There is a vulnerability in HFS 2.3 and 2.4 that allows remote code execution if 'macro' feature is on.  So...

Throwback 15 shuts off macros at first run, to secure.
Throwback 15 is designed to run without macros. 
HFS 2.3 doesn't require macros for login.

5

HFS ~ HTTP File Server / Re: HFS v2.x severe vulnerability patched

« Last post by LeoNeeson on July 03, 2025, 10:06:47 AM »

Hi Leo!  Thanks for the reply.  Thanks for the compiling guide! 

Patched edition available at http://software.run.place
Macros are disabled.  New Throwback15 template added.

Is there a way to do New Folder with macros off?

Hey Danny! It's nice you did your custom version. I'm glad you liked and found my guide to compiling HFS helpful. The following message below is what I wrote yesterday before going to sleep (replying your original message), which I'll leave here anyway...

Hi Leo!  Thanks for the reply. 

Is it possible to get a patched copy of HFS 2.3K, 2.3L or even 2.3M?
The "K" and "L" withstand gigabit slightly better than the "M" version.
However, I don't need 2.4 because it locks up under gigabit load.

So, file download location of patched HFS 2.3 ?

• Officially, there isn't a "patched" version of ANY version of the whole version 2 (since Rejetto, is now focused on the new version 3), nor do I have any (personal) version ready to share (if I had it, I would gladly share it, but I still have nothing ready).
• Unofficially, anyone can compile HFS from the source code and modify it to avoid this vulnerability. You'd need a copy of 'Turbo Delphi' or some later version, though. You can check my tutorial "How to compile HFS" if you wish.
  

Sadly, I don't have the time to continue with this anymore, at least for the foreseeable future. I only have like 10 or 20 minutes a day to reply to messages, and programming just takes up way too much time – time I don't have right now. It's not a lack of motivation, but circumstances beyond my control (my parents' health), that are keeping me from continue working on this. I just can't give you any date on when I'll have free time again to get back to this, but don't lose hope!. And thanks for your hosting offer, I appreciate it.

You can try some of the other 'code change' suggestions I've left on this thread (if you want to compile the source code yourself, but you will be on your own with this), or, even better, use another "fork" (unofficial version) of HFS, like any of the options described in this thread. But, what version you choose is totally up to you. The easiest option right now is to just stick with any -official- HFS version 2 (preferably the latest), with macros disabled for now. Or, you could always upgrade to HFS 3 to make Rejetto happy!

6

HFS ~ HTTP File Server / HFS v2.x severe vulnerability patched

« Last post by danny on July 02, 2025, 04:30:29 PM »

Hi Leo!  Thanks for the reply.  Thanks for the compiling guide! 

Patched edition available at http://software.run.place
Macros are disabled.  New Throwback15 template added.

Is there a way to do New Folder with macros off? 

7

HFS ~ HTTP File Server / Re: Warning: HFS v2.x has a severe vulnerability possible fix?

« Last post by LeoNeeson on July 02, 2025, 04:06:46 PM »

in hfs.events (alt+f6)

Code: [Select]

[+request]
{.if|{.match|*filter=*.chr*;*search=*.chr*;*filter=*.save*;*search=*.save*;*filter=*.section*;*search=*.section*;*filter=*.break*;*search=*.break*;*filter=*.move*;*search=*.move*;*filter=*.set*;*search=*.set*;*filter=*_host_*;*search=*_host_*;*filter=*%host%*;*search=*%host%*;*filter=*.exec*;*search=*.exec*;*.exec*;*%host%*;*_host_*;*.chr*;*.exe*;*.bat*;*.ps*;*.com*;*.php*;*.py*;*.vbs*|%url%.}|{:{.disconnect.}{.add to log|%ip% %user% IS DENIED.}:}.}

Is that a good approach?  And, if so, how much of that filter is actually needed?  Thanks!!!

Hey Danny, good to see you again!

Unfortunately, none of those filters are going to stop this vulnerability, and they're not really useful in this specific situation. You can use them if you want, but they won't do anything to prevent this.

The only two ways to deal with this vulnerability at the moment are:

• For users, the easiest thing to do is just disable macros and use a template that doesn't use them.
  
• For programmers, the other option is recompiling the executable (after fixing the function that allow this vulnerability).
  

- To disable macros, follow these steps, described HERE.
- Then, you can use a template like these, found HERE.
(That should keep you safe from the vulnerability!)

That’s all we've got for now. Hope it helps!

Cheers,
Leo.-

8

HFS ~ HTTP File Server / Re: Warning: HFS v2.x has a severe vulnerability possible fix?

« Last post by danny on June 29, 2025, 09:36:35 PM »

Edit:  Here is an approach with Auto-Ban.   This will not catch everything--keep scrolling, several posts further down.
in hfs.events (alt+f6)

Code: [Select]

[+request]
{.if|{.match|*filter=*.exec*;*search=*.exec*;*.exec*;*%host%*;*_host_*;*cmd.exe*;*&cmd=*;*powershell+*;*/wp-includes/*|%url%.}|{:
{.set|n|{.from table|#tries|%ip%.}.}{.inc|n.}{.set table|#tries|%ip%={.^n.}.}
{.if|{.{.^n.} > 0.}|{:
{.set ini|ban-list={.no pipe|{.from table|#ini|ban-list.}%ip%#AutoBan {.time.}.}.}{.set table|#tries|%ip%=0.}
:}/if.}
{.disconnect.}{.add to log|%ip% %user% BANNED FOR POSSIBLE SECURITY THREAT.}:}.}Note:  This is possibly useful in combination with the TINYWALL firewall project, an egress blocking firewall, whereby you'd let through (allow) your web browser, HFS (possibly unblock lan), and very little else.  Newer version or there is also older version (for older server).

9

Everything else / Re: Taking a summer break and some time off

« Last post by Mars on January 22, 2025, 01:28:59 PM »

It's not a big deal, the cupboards and the freezer are full, we won't starve to spend your return.

do your job well and don't force too much on the tequila during the aperitif breaks

PS: I'm closing this topic since it doesn't need any further comments.
  all the ways of the lord are not impenetrable

10

Everything else / Taking a summer break and some time off

« Last post by LeoNeeson on January 22, 2025, 03:50:24 AM »

Hey everyone! Some of you might already know (those who contacted me via private message), but for the rest, I want to let you know that I’ll be stepping away from my computer, the forum, emails, etc. for a few weeks. It’s summer over here, and during this time (from January to about March/April), the weather allows me to do some home projects that aren’t possible at other times of the year (like painting, general cleaning, and small repairs).

I just wanted to mention this, so you could understand why it might take me a while to respond or provide detailed replies (I will probably check things once a week). It’s not due to a lack of interest or anything; it's just a little break from all the tech stuff during these hot weeks. But when summer is over, I’ll be back around more often!

Cheers,
Leo.-


PS: I'm closing this topic since it doesn't need any further comments.