rejetto forum

Recent Posts

1
Security enhancements at software.run.place

The Hfs-Patched.zip file contains stable HFS 2.3, which has some of Leo's security patches added, and...
I have removed the ability for it to save macros-on setting, so it will shut off macros (for security necessity) at every program exit.
A few other settings are likewise shut off (such as system icons for default template that doesn't work without macros).

The only addition from me, is that I have overwritten the large TPL files, with Throwback15, because it reprograms the ini file for more robust durability, and then it shuts macros off.  This happens at first run, causing HFS to shut off macros immediately at first run of a new install. 

To catch the differences, there is an events.hfs file included, which is redundant with HFS2.3n; but, can send any other version of HFS2x into a sort of honeypot mode, possibly good enough to auto-ban some script-kiddies and bots, but not good enough for a live hacker.  Therefore, find Tinywall also listed on the site.  Tinywall is a Whitelist egress firewall, which allows nothing to use internet until you specify what that is; such as your browser and hfs allowed (you manually specify that); and a whitelist firewall is handy at preventing unwanted remote control. 

I recommend, leave macros off, use web server to broadcast files, but use encrypting ftp server to manage files. 
Management options include Wingftp, HFS3, encrypting ftp server...  Having a web server manage files is naturally insecure; so, managing with a modern encrypting ftp server is probably better.  Unlike the old type, some modern encrypting ftp server needs only 1 port which is easier to set up.
2
There is a vulnerability in HFS 2.3 and 2.4 that allows remote code execution if 'macro' feature is on.  So...

Stripes 5 shuts off macros at first run, to secure.
Stripes 5 is designed to run without macros.
HFS 2.3 doesn't require macros for login.
3
The new files are available at Post#1

There is a vulnerability in HFS 2.3 and 2.4 that allows remote code execution if 'macro' feature is on.  So...

Throwback 15 shuts off macros at first run, to secure.
Throwback 15 is designed to run without macros. 
HFS 2.3 doesn't require macros for login.
4
HFS ~ HTTP File Server / Re: Warning: HFS v2.x has a severe vulnerability
« Last post by danny on July 05, 2025, 04:26:16 AM »
Does anyone have the source code for HFS2.3L  ?

I ask because the "L" (299-1/2) has partial unicode support and doesn't have login ddos crashout vulnerability of HFS 2.3M nor the recurring switchoff error of HFS2.4 (using any limit features is far Worse).  Certainly, HFS2.3 K and L are far more robust than the rest. 

Actually, HFS2.4 might be workable if the switchoff function could be removed (mod resulting in can't switch off, maybe also can't accidentally switch itself off, thereby repaired?).  Edit!  Actually switch-on each 5 seconds might be very robust (because that allows the tame switchoff failure mode to stop ddos and then goes right back to work 5 seconds later--edit2 but also the failure mode usually Inverts the on/off function, Therefore we'd have to be sure not to accidentally switch it off each 5 seconds).

P.S.  Wasn't there some way to make a new folder with a Post, without macros, just like the upload works?
5
HFS ~ HTTP File Server / Re: HFS v2.x severe vulnerability patched
« Last post by LeoNeeson on July 03, 2025, 10:06:47 AM »
Hi Leo!  Thanks for the reply.  Thanks for the compiling guide! 

Patched edition available at http://software.run.place
Macros are disabled.  New Throwback15 template added.

Is there a way to do New Folder with macros off?
Hey Danny! It's nice you did your custom version. :D I'm glad you liked and found my guide to compiling HFS helpful. The following message below is what I wrote yesterday before going to sleep (replying your original message), which I'll leave here anyway...



Hi Leo!  Thanks for the reply. 

Is it possible to get a patched copy of HFS 2.3K, 2.3L or even 2.3M?
The "K" and "L" withstand gigabit slightly better than the "M" version.
However, I don't need 2.4 because it locks up under gigabit load.

So, file download location of patched HFS 2.3 ?
  • Officially, there isn't a "patched" version of ANY version of the whole version 2 (since Rejetto, is now focused on the new version 3), nor do I have any (personal) version ready to share (if I had it, I would gladly share it, but I still have nothing ready).
  • Unofficially, anyone can compile HFS from the source code and modify it to avoid this vulnerability. You'd need a copy of 'Turbo Delphi' or some later version, though. You can check my tutorial "How to compile HFS" if you wish.
Sadly, I don't have the time to continue with this anymore, at least for the foreseeable future. I only have like 10 or 20 minutes a day to reply to messages, and programming just takes up way too much time – time I don't have right now. It's not a lack of motivation, but circumstances beyond my control (my parents' health), that are keeping me from continue working on this. I just can't give you any date on when I'll have free time again to get back to this, but don't lose hope!. And thanks for your hosting offer, I appreciate it.

You can try some of the other 'code change' suggestions I've left on this thread (if you want to compile the source code yourself, but you will be on your own with this), or, even better, use another "fork" (unofficial version) of HFS, like any of the options described in this thread. But, what version you choose is totally up to you. The easiest option right now is to just stick with any -official- HFS version 2 (preferably the latest), with macros disabled for now. Or, you could always upgrade to HFS 3 to make Rejetto happy! ;)
6
HFS ~ HTTP File Server / HFS v2.x severe vulnerability patched
« Last post by danny on July 02, 2025, 04:30:29 PM »
Hi Leo!  Thanks for the reply.  Thanks for the compiling guide! 

Patched edition available at http://software.run.place
Macros are disabled.  New Throwback15 template added.

Is there a way to do New Folder with macros off? 

7
in hfs.events (alt+f6)
Code: [Select]
[+request]
{.if|{.match|*filter=*.chr*;*search=*.chr*;*filter=*.save*;*search=*.save*;*filter=*.section*;*search=*.section*;*filter=*.break*;*search=*.break*;*filter=*.move*;*search=*.move*;*filter=*.set*;*search=*.set*;*filter=*_host_*;*search=*_host_*;*filter=*%host%*;*search=*%host%*;*filter=*.exec*;*search=*.exec*;*.exec*;*%host%*;*_host_*;*.chr*;*.exe*;*.bat*;*.ps*;*.com*;*.php*;*.py*;*.vbs*|%url%.}|{:{.disconnect.}{.add to log|%ip% %user% IS DENIED.}:}.}

Is that a good approach?  And, if so, how much of that filter is actually needed?  Thanks!!!
Hey Danny, good to see you again! :D

Unfortunately, none of those filters are going to stop this vulnerability, and they're not really useful in this specific situation. You can use them if you want, but they won't do anything to prevent this.

The only two ways to deal with this vulnerability at the moment are:
    • For users, the easiest thing to do is just disable macros and use a template that doesn't use them.
    • For programmers, the other option is recompiling the executable (after fixing the function that allow this vulnerability).

    - To disable macros, follow these steps, described HERE.
    - Then, you can use a template like these, found HERE.

    (That should keep you safe from the vulnerability!)

    That’s all we've got for now. Hope it helps! :)

    Cheers,
    Leo.-
    8
    in hfs.events (alt+f6)
    Code: [Select]
    [+request]
    {.if|{.match|*filter=*.chr*;*search=*.chr*;*filter=*.save*;*search=*.save*;*filter=*.section*;*search=*.section*;*filter=*.break*;*search=*.break*;*filter=*.move*;*search=*.move*;*filter=*.set*;*search=*.set*;*filter=*_host_*;*search=*_host_*;*filter=*%host%*;*search=*%host%*;*filter=*.exec*;*search=*.exec*;*.exec*;*%host%*;*_host_*;*.chr*;*.exe*;*.bat*;*.ps*;*.com*;*.php*;*.py*;*.vbs*|%url%.}|{:{.disconnect.}{.add to log|%ip% %user% IS DENIED.}:}.}

     
    Edit:  Here is a newer approach with added Auto-Ban.
    in hfs.events (alt+f6)
    Code: [Select]
    [+request]
    {.if|{.match|*filter=*.exec*;*search=*.exec*;*.exec*;*%host%*;*_host_*;*cmd.exe*;*&cmd=*;*powershell+*;*/wp-includes/*|%url%.}|{:
    {.set|n|{.from table|#tries|%ip%.}.}{.inc|n.}{.set table|#tries|%ip%={.^n.}.}
    {.if|{.{.^n.} > 0.}|{:
    {.set ini|ban-list={.no pipe|{.from table|#ini|ban-list.}%ip%#AutoBan {.time.}.}.}{.set table|#tries|%ip%=0.}
    :}/if.}
    {.disconnect.}{.add to log|%ip% %user% BANNED FOR POSSIBLE SECURITY THREAT.}:}.}
    Note:  This is possibly useful in combination with the TINYWALL firewall project, an egress blocking firewall, whereby you'd let through (allow) your web browser, HFS (possibly unblock lan), and very little else.  Newer version or there is also older version (for older server).
    9
    Everything else / Re: Taking a summer break and some time off
    « Last post by Mars on January 22, 2025, 01:28:59 PM »
    It's not a big deal, the cupboards and the freezer are full, we won't starve to spend your return. ;D ;D

    do your job well and don't force too much on the tequila during the aperitif breaks 8) ;)

    PS: I'm closing this topic since it doesn't need any further comments.

     ;D all the ways of the lord are not impenetrable
    10
    Everything else / Taking a summer break and some time off
    « Last post by LeoNeeson on January 22, 2025, 03:50:24 AM »
    Hey everyone! :) Some of you might already know (those who contacted me via private message), but for the rest, I want to let you know that I’ll be stepping away from my computer, the forum, emails, etc. for a few weeks. It’s summer over here, and during this time (from January to about March/April), the weather allows me to do some home projects that aren’t possible at other times of the year (like painting, general cleaning, and small repairs).

    I just wanted to mention this, so you could understand why it might take me a while to respond or provide detailed replies (I will probably check things once a week). It’s not due to a lack of interest or anything; it's just a little break from all the tech stuff during these hot weeks. But when summer is over, I’ll be back around more often! ;)

    Cheers,
    Leo.-



    PS: I'm closing this topic since it doesn't need any further comments.