rejetto forum

Recent Posts

11
HFS ~ HTTP File Server / Re: Warning: HFS v2.x has a severe vulnerability
« Last post by Rapid on January 06, 2025, 10:16:40 PM »
Hi Leo!
Could you check my versions, if it vulnerable or not? As I'm not really understand your answers per my fixes.
In my tests, I couldn't repeat vulnerability examples. May be I checked not enough?

My latest version: https://rnq.ru/downloads/download/8-hfs/215-hfs-324-x64
12
HFS ~ HTTP File Server / Re: Warning: HFS v2.x has a severe vulnerability
« Last post by LeoNeeson on January 06, 2025, 11:42:54 AM »
Good! :D ...and now we have:

- Option C: Mars’s version of HFS! (v2.3m Build 305)
This option is perfect for those who want to make normal use of the default template (while also wanting to programmatically run programs using HFS, but don’t want to leave this option enabled for too long). This also provides another alternative (besides 'Option A or B') for those who wish to disable the 'exec' macro feature to be more secure.


What is the difference between 'Option B' and 'Option C'? The difference is that 'Option B' disables all macros (including the less risky macros that are necessary for normal template functionality), while the Mars compilation only disables the 'exec' macro (which allows other programs to be executed, and this was exploited by this vulnerability). Since the vulnerability still exists, if you use 'Option C' (and enable the 'exec' macro), it's best to allow it only for a short period, or to disable it directly when this feature is not needed.

It’s nice to have more options for those who may need them.
Everything seems fine, and it’s good, coming from Mars (congrats!) :)
13
HFS ~ HTTP File Server / Re: Warning: HFS v2.x has a severe vulnerability
« Last post by Mars on January 03, 2025, 11:31:41 PM »

Since there are still a fans of hfs 2.3m build 300, and who are concerned about the risk of being hackered with the EXEC macro, the simplest at the moment is to allow a deactivation of this macro which is only rarely used and in very specific cases,

the solution envisaged to limit the number of accessible external programs that would be included in a reduced list is not possible at the moment as long as an effective filtering is not possible for the moment to be possible.


This is an ephemeral link on a version  compressed with upx, wich has not be endorsed by rejetto, but because of my previous participation in the project I can afford it without waiting ;)
 it integrates a button in the toolbar to activate the use of the macro exec.
HFS 2.3m build 305

the macro is systematically in OFF mode as soon as the server is started up or at each change of state of the latter.

the macro is automatically deactivated when the display is switched to EASY mode, and the button is inoperative.

when the conditions are met, it is possible to activate the use of the EXEC macro for a period of 30 seconds, this value can be modified by right-clicking on the button,

any change to a value other than that displayed on the opening of the message causes the timer to stop, so it is necessary to reactivate the button.

As a measure of simplicity, a zero value inhibits the timer and the button becomes a simple state flip-flop, otherwise it behaves like a timer.
14
HFS ~ HTTP File Server / Re: Warning: HFS v2.x has a severe vulnerability
« Last post by Alps on January 03, 2025, 06:23:26 PM »
Not only my credits.
Was only a idea from me.
I not have the knowledge for security relevance.
Without LeoNeeson we not have this solution.
15
HFS ~ HTTP File Server / Temporary solution to vulnerability CVE-2024-23692
« Last post by LeoNeeson on January 03, 2025, 01:10:25 AM »
@Alps: Using "deactivate Browsable" doesn't make any difference here (you can use it, but it doesn't stop this vulnerability). The only setting that stops it, is disabling macros (since the problem is there). With macros disabled, even search works fine, you only need to use a simple template that doesn't need or use macros.
I correct myself (my mistake): @Alps was right on his first message (and then here), by unchecking the 'Browsable' flag on the 'Home/Root' of HFS, you could avoid this vulnerability and be safe. That seems to be enough, but if you also disable macros, you are twice protected. If you use v2.4 and need to use the login system, then don't disable macros (using v2.3 you can disable macros + uncheck browsable flag, since login system depends on the browser).



Summarizing, now we have 2 options to be safe and avoid this vulnerability:

- Option A: unchecking the 'Browsable' flag
1) Inside HFS, make sure 'You are in Expert mode' (if not switch by pressing F5)
2) In 'Virtual File System' panel, right-click on the 'Home' icon, select 'Properties...'
3) Properties window will open, go to 'Flags' tab, and uncheck 'Browsable' option.
4) Click 'OK' to apply changes, and from now on, any visitor to your HFS server, will see this message: "Forbidden / This resource is not accessible", and you will not have file listing, neither file search.

- Option B: disabling the 'macros' feature
Simply follow the steps described in this post, here.


I give all the credits for both of these methods to @Alps! :D

Cheers,
Leo.-
16
HFS ~ HTTP File Server / Re: Warning: HFS v2.x has a severe vulnerability
« Last post by LeoNeeson on January 01, 2025, 11:00:55 PM »
versions down to 2.3i now also safe with macro off ?
With macro OFF, those versions could "probably" be safe, but I can't give you a 100% guarantee "that versions down to 2.3i are also safe with macro off" (I haven't tested it to give you confirmation). Macros were always like a 'Pandora box' for vulnerabilities, but many other enhancements were introduced since version 2.3i.

in a russian forum i found also a solution including fixed hfs download
Thanks for the link. :) Sadly, that 'fixed HFS' download is not safe with macro ON. The solution posted there (and that compiled executable), is not enough to stop the vulnerability (since it only search the 'exec' word in the URL, and that word can be split in two words to bypass that solution, so I don't recommend it). You could point those users to visit this forum thread, so they could get updated info about this issue.
17
HFS ~ HTTP File Server / Re: Warning: HFS v2.x has a severe vulnerability
« Last post by Alps on January 01, 2025, 09:31:48 PM »
This sounds all great  :)
Maybe this is the best solution.
I am Happy can now use hfs again after 6 months break.  :D

In changelogs from "j" "k" "m" i not read security fixes.
versions down to 2.3i now also safe with macro off ?

in a russian forum i found also a solution including fixed hfs download
maybe it is interesting for you.
http://forum.ru-board.com/topic.cgi?forum=5&topic=13365&start=1940#11
i not know how safe it is.

Macro off is the best way for me.
18
HFS ~ HTTP File Server / Re: Warning: HFS v2.x has a severe vulnerability
« Last post by LeoNeeson on January 01, 2025, 01:22:28 PM »
@Alps: Using "deactivate Browsable" doesn't make any difference here (you can use it, but it doesn't stop this vulnerability). The only setting that stops it, is disabling macros (since the problem is there). With macros disabled, even search works fine, you only need to use a simple template that doesn't need or use macros.

For example, I've quickly modified (removing any use of macros) the 'Stripes' template, which is a template made by the user Danny for HFS v2.3 and v2.4. These modified templates I've uploaded here, works fine for basic 'file listing' operations but doesn't have the upload, delete or login function (login still works when using v2.3), but you can add those functions back, if you have the knowledge to do it, and you don't use macros (I currently don't have enough free time nor the patience to do it).

Well, that's all for now, hope it helps. :)
19
HFS ~ HTTP File Server / Re: Warning: HFS v2.x has a severe vulnerability
« Last post by Alps on January 01, 2025, 03:42:34 AM »
Very thanks for reply.

ok, as you say browsable not helps with this vulnerability "setting in hfs window part "virtual file system" " /Home Right click/properties/flags deactivate Browsable"

If i switch it off, user become message.
!Forbidden
or||!This resource is not accessible.

And it not only deactivate searchbox, it also deactivate search direct link.
Example
http://0.0.0.0:80/?search=test

If i switch also macro off.
Comes also
!Forbidden
or||!This resource is not accessible.

In this case it is better switch macro off and browsable on ? (The last years browsable off was my default setting)

I have a rootserver, and hfs was a important part, of course i can not use old hfs before have a safe solution.
HFS 3 is not a solution for me.

If macro off is a really safe solution, it is perfect for me, i need only direct linking.

Is a easy way possible for test this vulnerability ?
20
HFS ~ HTTP File Server / Re: Warning: HFS v2.x has a severe vulnerability
« Last post by LeoNeeson on December 31, 2024, 08:46:25 AM »
Maybe can fix this security problem with different settings or template modification or macro deactivation ?
Maybe i am wrong, but it sounds the problem is in template and search function.

In hfs /Home Right click/properties/ deactivate Browsable
It deactivate browse page, search and other. (Files can download now only with direct link)
Probably this is not a solution, but i think the profis here know it better.

Can it help ?
*** Temporary solution ***
Yes, good idea! :D, if you disable macros, the vulnerability will NOT happen!
But keep in mind, you will not have file list (the default template will not work)

1) Inside HFS, press F5 to switch to 'Expert mode'.
2) Go to Menu > HTML template > and uncheck 'Enable macros'.
3) It will ask you 'Do you want to cancel this action?', click in 'No'.
4) Any visitor will have this message "WARNING: this template is only to be used with HFS 2.3 (and macros enabled)", and that means you have disabled the macros, and -hopefully-, the vulnerability will NOT happen!




- Old answer (read the message above): Unfortunately, that won't stop this vulnerability (I wish it were as simple as that). The only way is to modify the program (recompiling the source code). For the moment, it is better to temporarily discontinue the use of HFS v2.x (at least until this vulnerability gets fixed, something I haven't had time to finish yet), or even better, upgrade to the new version (HFS3).

Happy Holidays to all (and happy New Year!) :)