rejetto forum

Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.


Messages - LeoNeeson

Pages: 1 2 3 ... 58
1
Everything else / Re: Best DynDNS alternative: FreeDNS.afraid.org
« on: October 19, 2024, 09:46:55 PM »
I wonder, can HFS update it automatically?
Yes, it's easy, but read a very important note at the end...

1. Login to your FreeDNS.Afraid.org account and go to "Dynamic DNS".

2. Copy the link from "Direct URL" for the domain you want to update.
     

3. From that link, change "https://" to "http://" (removing the 's'),
   since HFS can't handle SSL connections (unless you are using v2.4 RC7).

Link example:
Code: [Select]
http://freedns.afraid.org/dynamic/update.php?xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
4. In HFS, press F5 (if you are not already in 'Expert mode'), and go to...
   'Menu' > 'Dynamic DNS updater' > 'Custom...' and paste there the link.

5. It's all ready. Enjoy! :)



NOTE: My recommendation for FreeDNS.Afraid.org remains, but I currently do not recommend to use HFS to do the 'DNS update' (as a 'Dynamic DNS client'). It can be used along HFS, but it's better not within it. This is because, no matter what DynDNS service you do use, I've noticed that HFS it's not very reliable for this task (I've found a small bug when using the 'Custom' option, and although it seems to work, I can't guarantee it will always function). What kind of bug? HFS is -always- updating the DNS even if is not necessary, without checking first if the IP of the hostname has changed or not, and this leads to this "ERROR: Address 123.xxx.xxx.xxx has not changed." For casual use, it could work fine, but for use on as a permanent server, it's much better to use another DDNS client to update the IP.

2
HFS ~ HTTP File Server / Re: Warning: HFS v2.x has a severe vulnerability
« on: October 09, 2024, 04:12:26 AM »
But if hfs is under cloudflare, does the vulnerability continue?
Yes, the vulnerability continues, and it could put at risk the PC (server) where HFS2 (v2.x) runs. Running it under Cloudflare somewhat makes the server more hidden (harder to be scanned by hackers), but once it's discovered and targeted by a hacker, he could run or install any program (malware or anything). Unless you run HFS2 on a VPS (or somewhere you don't have anything valuable), and you can recover your data in case of problems, you should think on updating to HFS3 (or take the risk and wait until we release an unofficial version of HFS2 with this vulnerability fixed). We are closer to find a solution to this, but the decision of waiting or updating is yours. Keep in mind that HFS3 is a completely different software (written from scratch) and its configuration is not compatible with HFS2, so you should have to configure everything again, but HFS3 is the currently recommended choice. If you have any questions about HFS3, please ask on the place dedicated to it (here), to avoid this thread going off-topic.

3
HFS ~ HTTP File Server / Re: Warning: HFS v2.x has a severe vulnerability
« on: October 06, 2024, 06:46:05 AM »
that's great, congratulations with your achievement, Leo!
Thanks, it means a lot that you like it, I appreciate it. :) To me, it's like an exercise to dip my toes on Delphi, although there is still a long way to go...

you prefer 2.3 over 2.4 ?
Not really, some parts of it only (2.4 has huge improvements), but mainly I'm using 2.3 in my tests because it is much easier for me to build it (using TD2006). And since it was the latest stable version published, it was the version I've used it as example.

Is the url the only way to use the vulnerability? Even if the POC of the CVE uses the url, be sure to consider the possibility of the attack coming from a header.
Yes, I know what you mean ('Host' header is not covered, for example), that's why I'm not completely happy with my 'single line' fix (although it works). That's why I'm testing a completely new fix (instead the previous code). See...



» Alternative method to stop this macro vulnerability:
Add the line marked in green, after line 5084 in 'main.pas' (v2.3m)

Quote
  runEventScript('pre-filter-request');

  // Check macro leaks, prevent hack attempts
  if anyMacroMarkerIn(conn.request.full) then
  begin
    data.disconnectReason:='Hack attempt blocked. This event has been logged!';
    add2log('Hack attempt blocked: '+ansiToUTF8(conn.request.url));
    getPage('deny', data);
    conn.reply.mode:=HRM_BAD_REQUEST;
    exit;
  end;



It works, but even then, it's just a simple check and stop, not a true 'urlvar' filtering (and I can't be 100% sure if it is enough or if some hacker could think a workaround to bypass this measure). And if the browser asks for the 'favicon.ico' along with the same request, it gets logged as hack attempt too (and I don't like this, and I have to think how to handle it, perhaps with 'urlCmd'). Alternatively, I was thinking of doing a 'stringReplace' of macro markers on 'request.full' at an earlier stage, right on the 'handleHeaderData' procedure (which also works, as second measure), but I don't like this approach, since it could mess with other parts of the code.

Well, I think that's all I will be working with this at the moment, I don't have too much time to go deeper analyzing this, it's only a start for now.

4
HFS ~ HTTP File Server / Re: Warning: HFS v2.x has a severe vulnerability
« on: October 02, 2024, 06:36:55 AM »
After spending several hours on last weekend, I'm happy to finally announce that I've come up with a simple (one line) solution to this macro vulnerability. :D

The following is a portion of 'main.pas' in 'hfs2.3m.src.zip'
Add the line marked in red, after line 5100 in 'main.pas'
(After line 5445 in v2.4 RC07, but is hasn't been tested)

Quote
  url:=conn.request.url; // The next line is a fix for CVE-2024-23692
  if anyMacroMarkerIn(url) then url:=encodeURL(xtpl(url,['%','#']));
  extractParams();
  url:=decodeURL(url);

This was my second 'impossible task' achieved or accomplished here (the first was helping to bring the 'logout' function to HFS), and now an attempt to fix this vulnerability. Those are the good things about programming: almost nothing is impossible with a lot of effort and dedication. :)

5
Everything else / Re: Message to Rejetto: forum's email is broken
« on: August 11, 2024, 12:25:15 AM »
It's still working here, and I agree that the main reason of all this problem (and also of having too many spam accounts), is the use of fake/disposable email address to register (like you said 'invalid addresses'). If we filter that registration comes ONLY from common respectable email providers, like: Gmail, Yahoo, Hotmail, Yandex, GMX, QQ, etc. then those spam accounts will be much less.

Reading a forum thread on SMF Community Forum, about "Restrict email providers on registration", I've found THIS mod, which works with current SMF version, and has a very useful option named "Only allow these providers" (along with preventing people using their email addresses as usernames).

PS: nothing is perfect, since one Gmail account could have MANY email alias (and register many accounts on the forum using those alias). So, it would be great if we could 'clean' the email username from any "+" (plus symbols) and "." (dots), when someone is using Gmail to register to avoid the 'alias' trick. Perhaps that mod that I mentioned, has this feature too (I don't know).

6
Everything else / Re: Message to Rejetto: forum's email is broken
« on: August 06, 2024, 02:26:55 AM »
it should be fixed now.
Yes, I confirm that now it works... :)

works as expected, bots will be able to have fun again
To avoid bots, according to forum's documentation, "the most efficient anti-spam method provided by SMF" by default, without having to install any -Mod- (modification), is enabling "Verification Questions". I've read that adding three simple (but not so obvious) questions stops most bots. I highly recommend adding this to relieve Mars's task of cleaning the forum. 8)

7
Everything else / Message to Rejetto: forum's email is broken
« on: July 24, 2024, 12:08:26 AM »
Hi!, this is a message to Rejetto. :) I have his email, but I don't want to bother him with this, so I use this space to report that the forum's email system is completely broken. The forum system DOES NOT send any email. This means the following:

- Users doesn't get notifications of new 'Private Messages', neither of emails sent through the forum.
- Users doesn't get notifications of new posts, in case they were subscribed to get email notifications.

- New users can't signup/register, since they can't get the verification link, sent by the forum via email.

» Summarizing: any email sent through the forum, is lost and never sent...

Since this forum is using "OVH Web Hosting", perhaps the following link helps you:
https://help.ovhcloud.com/csm?id=kb_article_view&sysparm_article=KB0052915

@Rejetto: I hope you can fix it, but there is no pressure on doing it.
Take the time you need, but please don't forget about it. ;)
Thank you, and sorry for opening this thread.

Cheers,
Leo.-

8
HFS ~ HTTP File Server / Warning: HFS v2.x has a severe vulnerability
« on: July 22, 2024, 08:16:08 PM »
Hi everyone! This is a notice to all the users of HFS version 2.x (I will call it 'HFS2' for making it short). Recently, a severe vulnerability (CVE-2024-23692) was found in HFS2 (known to affect HFS v2.4.0 RC7 and HFS v2.3m). This information was kept private until now, to give it time to find a solution, but now I think it's time to make this notice public. This is only an informational message to let everyone know about this. Anyone with Pascal/Delphi knowledge could contribute to finding a fix.

We are discussing how to patch it, here:
https://github.com/drapid/hfs/issues/3

You could contribute by submitting code fixes to the source code, either on GitHub or here in the appropriate forum section: Programmers corner (opening a new thread there or leaving a comment here on this very same thread). If we find a correct fix (and since Rejetto will not update HFS2 anymore), perhaps we can build an unofficial "community" version for those who can't upgrade to HFS3.

Let's keep HFS v2.x alive, and...
...please do not panic. ;)

Stay safe,
Leo.-

9
Everything else / Re: Webd, similar to HFS, only 90KB
« on: July 11, 2024, 05:10:45 PM »
May I ask why you don't have enough free time?
The answer is simple: life is very uneven where I live, and it can be tough for those who are not lucky to have a great job. Having 2 or more jobs to survive is something normal here, that's why there is no free time. And programming isn't my source of income (I've studied programming many years ago, but in the end I dedicated myself to something else). Now I have a hobbyist approach to programming.

By the way, even replying messages like this, here on this forum, consumes too much of my free spare time. That's why I don't like chit-chatting about trivial matters, but only contributing to things that are useful to others. Please keep it that way. It's best that we keep this forum thread open, so that others can leave their opinion about your program (Webd) in the future, instead of continuing to undermine it with personal conversations, and it would be great if you could contribute in any way to the progress of HFS. :)

It's time for me to get back to work,
until next time, goodbye...
Leo.-


10
Everything else / Re: Webd, similar to HFS, only 90KB
« on: July 09, 2024, 08:32:10 PM »
I'm not discouraged by your message, just the data tell the truth.
Keep in mind that it could take several years before a software gets wider usage. HFS needed 10 to 20 years to get on the position is today. It's not something that happens overnight, no matter how much you want to promote it. Too much promotion, could even be counterproductive, since it might look as something negative for some users. Adding advertisement to software is something that also scare off users, especially in English-speaking countries.

Now days, people rather to use web app. Less and less people still use PC.
Yes, that's true. And those who use PC and run a permanent web server, will probably look for something more powerful/robust to handle a lot of traffic/users (concurrent connections), and they might already use Nginx, Apache, Lighttpd, LiteSpeed Web Server or similar (since they could be computer experts). People in the know are not afraid of using complex software. Personally, although I have some advanced computer knowledge, I always try to keep things simple. That's why I love HFS, because it can be very simple to use, but also very complex if needed.

I don't known why Webd is very popular only in my native language world
If I'm not mistaken, you are from China, and people from there are smarter/intelligent (more geeky persons, open to test new technologies), than in English-speaking countries. There you all could be more comfortable to seeing advertisements than here too. That could be the reason why Webd is very popular there. I have a big respect (and admiration) for people from your country, but you should know that not everyone here have the same concept of your country (the world is very divided today). I do not get carried away by what others say, I evaluate and value people, I do not follow pre-established precepts. However, I am always very cautious when trying new software, no matter what country it comes from (and I like privacy-friendly software).

And even worse I don't have much friends  :'(
I also don't have too many friends (I prefer quality friends, to quantity of semi-acquaintances), but you can count on me to help you out, on whatever is possible to me, given my very limited free time. I always try to be active on this forum, helping people who need something (you can find me here and also on Twitter). Well, I have nothing more to say, I hope other users here can leave their opinion about your program.

Rejetto (the author of HFS) would like if you try his new HFS3, and leave your opinion about it. ;)

Wish you all the best,
Leo.-

11
Everything else / Re: Webd, similar to HFS, only 90KB
« on: July 08, 2024, 03:52:45 AM »
Did you run it unprivileged?
I've run Webd with administrator rights (my mistake). But I could have bad luck with my graphic card, and it might be a mere coincidence that was testing your software. Please don't feel bad. :-[

I think I won't give much time on apps like webd any more, It not worth it.
Please don't feel discouraged by my message.

» To tell the true, I was a little paranoid, because lately there are too many people attacking old HFS versions (v2.3m and v2.4), like if they were doing on purpose, to discourage others running local home servers. I know this is totally unrelated, but it's to give you some context about my last message.

If you have some friends with Delphi/Pascal knowledge, you can tell them to give a hand to find a solution to this vulnerability (CVE-2024-23692), which is explained here: https://github.com/drapid/HFS/issues/3

You can still be a hero here... :D

12
Everything else / Re: Webd, similar to HFS, only 90KB
« on: July 08, 2024, 01:28:36 AM »
I will test Webd this weekend.
I have some bad news, :( but please don't panic. After testing "Webd", HTTP Web Server (webd.cf/webd), everything seems to be fine (at least, at first sight it works), but when I've analyzed with an "online antivirus" (which does a sandbox analysis), the results were not so good. I've thought it was only a 'false positive', but 24hs later of testing 'Webd', my graphics card suddenly died (nothing really important, since I've tested this on an unimportant PC), but I can't be 100% sure if this was a mere coincidence or not.

After all, according to the sandbox analysis, this software has too many 'Suspicious Indicators', one of them is having driver access ("Contains ability to start/interact with device drivers"). So, I wouldn't take the chance of run this again (at least not directly on hardware, but using a 'Virtual Machine'). The lesson was learned. I always try to trust the programmer behind a software, but when things go wrong (for whatever reason), this trust is lost, and then it's very hard to recover.

I'm commenting this to the rest of the forum community, to make you all aware about the possible consequences of running this software, and how it was my personal experience with it (only as an informational note). Please don't take this as a final verdict about 'Webd'. Anyone is free to do what think it's best, but I can't recommend this software to anyone, unless you take the risks. The report generated by "Falcon Sandbox" @ Hybrid Analysis, says:

"Malicious"
Threat Score: 50/100
AV Detection: Marked as clean
(See the complete report here)

Since antivirus detection "marked it as clean", you have the final choice to run it or not, and determine if it's really safe to run. That's why I always prefer 'open source' apps, to be able to analyze the software activity directly from the source code (in case it's needed). Well, that's it. I hope you don't get angry with me for saying this. I always try to be friendly and help others (I have a long history on this forum), that's why I must leave this warning notice.

Stay safe,
Leo.-

13
Everything else / Re: Webd, similar to HFS, only 90KB
« on: July 06, 2024, 10:36:24 AM »
I think you're curious for what I'm using to build the whole bunch of binaries for all kinds of platforms.
Yes, my curiosity was because it was multi-platform. Now I see that you have put a lot of dedication and work into compiling your software for multiple platforms, congratulations. That's the good thing of writing applications in C language: portability (being a platform-independent language). I will test Webd this weekend.

14
Everything else / Re: Webd, similar to HFS, only 90KB
« on: July 04, 2024, 10:20:44 PM »
This is what ChatGPT said about webd
The description is perfect (it was a good idea using ChatGPT).

All compiled using a single Makefile
Since there are plenty of C compilers available online (GCC, TCC, MinGW, LLVM, Clang, etc), would you please leave a download link for the C compiler you use to compile WebD?. I'm just asking out of curiosity, to learn new things (I'm not afraid of visiting websites in other languages, since I can use a translator).

By doing this, you will soon be able to post direct links on the forum. ;)

15
Everything else / Re: Webd, similar to HFS, only 90KB
« on: July 03, 2024, 04:58:46 AM »
Thanks a lot for telling me all that.
You welcome. :)

I'm not sure whether to open source it. Currently, at the bottom of the file list on the web interface, there might be an inconspicuous line of text advertising or other information. If it's open-sourced, this will definitely be recompiled and removed, or even changed to someone else's advertisement and redistributed.
That's understandable. I hope the advertisements goes well for you, I wish you success. If at any point you decide to abandon or discontinue developing the software, keep in mind to open source it, so that someone else can continue improving it. Anyway, in this part of the world where I live (as you say the "english-speaking world"), most people here are very lazy, so even they having the source code, will do nothing. For example, HFS (this forum is about that software), is open source and almost -nobody- collaborates contributing with enhancements.

I am considering applying the TLS/1.3 code to a new project, such as a chat server similar to webd, because using WebRTC for audio and video calls requires HTTPS support.
It sounds very interesting, I hope it's also lightweight.

Pages: 1 2 3 ... 58