rejetto forum

Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.


Messages - LeoNeeson

Pages: 1 2 3 ... 57
1
HFS ~ HTTP File Server / Re: Warning: HFS v2.x has a severe vulnerability
« on: October 06, 2024, 06:46:05 AM »
that's great, congratulations with your achievement, Leo!
Thanks, it means a lot that you like it, I appreciate it. :) To me, it's like an exercise to dip my toes on Delphi, although there is still a long way to go...

you prefer 2.3 over 2.4 ?
Not really, some parts of it only (2.4 has huge improvements), but mainly I'm using 2.3 in my tests because it is much easier for me to build it (using TD2006). And since it was the latest stable version published, it was the version I've used it as example.

Is the url the only way to use the vulnerability? Even if the POC of the CVE uses the url, be sure to consider the possibility of the attack coming from a header.
Yes, I know what you mean ('Host' header is not covered, for example), that's why I'm not completely happy with my 'single line' fix (although it works). That's why I'm testing a completely new fix (instead the previous code). See...



» Alternative method to stop this macro vulnerability:
Add the line marked in green, after line 5084 in 'main.pas' (v2.3m)

Quote
  runEventScript('pre-filter-request');

  // Check macro leaks, prevent hack attempts
  if anyMacroMarkerIn(conn.request.full) then
  begin
    data.disconnectReason:='Hack attempt blocked. This event has been logged!';
    add2log('Hack attempt blocked: '+ansiToUTF8(conn.request.url));
    getPage('deny', data);
    conn.reply.mode:=HRM_BAD_REQUEST;
    exit;
  end;



It works, but even then, it's just a simple check and stop, not a true 'urlvar' filtering (and I can't be 100% sure if it is enough or if some hacker could think a workaround to bypass this measure). And if the browser asks for the 'favicon.ico' along with the same request, it gets logged as hack attempt too (and I don't like this, and I have to think how to handle it, perhaps with 'urlCmd'). Alternatively, I was thinking of doing a 'stringReplace' of macro markers on 'request.full' at an earlier stage, right on the 'handleHeaderData' procedure (which also works, as second measure), but I don't like this approach, since it could mess with other parts of the code.

Well, I think that's all I will be working with this at the moment, I don't have too much time to go deeper analyzing this, it's only a start for now.

2
HFS ~ HTTP File Server / Re: Warning: HFS v2.x has a severe vulnerability
« on: October 02, 2024, 06:36:55 AM »
After spending several hours on last weekend, I'm happy to finally announce that I've come up with a simple (one line) solution to this macro vulnerability. :D

The following is a portion of 'main.pas' in 'hfs2.3m.src.zip'
Add the line marked in red, after line 5100 in 'main.pas'
(After line 5445 in v2.4 RC07, but is hasn't been tested)

Quote
  url:=conn.request.url; // The next line is a fix for CVE-2024-23692
  if anyMacroMarkerIn(url) then url:=encodeURL(xtpl(url,['%','#']));
  extractParams();
  url:=decodeURL(url);

This was my second 'impossible task' achieved or accomplished here (the first was helping to bring the 'logout' function to HFS), and now an attempt to fix this vulnerability. Those are the good things about programming: almost nothing is impossible with a lot of effort and dedication. :)

3
Everything else / Re: Message to Rejetto: forum's email is broken
« on: August 11, 2024, 12:25:15 AM »
It's still working here, and I agree that the main reason of all this problem (and also of having too many spam accounts), is the use of fake/disposable email address to register (like you said 'invalid addresses'). If we filter that registration comes ONLY from common respectable email providers, like: Gmail, Yahoo, Hotmail, Yandex, GMX, QQ, etc. then those spam accounts will be much less.

Reading a forum thread on SMF Community Forum, about "Restrict email providers on registration", I've found THIS mod, which works with current SMF version, and has a very useful option named "Only allow these providers" (along with preventing people using their email addresses as usernames).

PS: nothing is perfect, since one Gmail account could have MANY email alias (and register many accounts on the forum using those alias). So, it would be great if we could 'clean' the email username from any "+" (plus symbols) and "." (dots), when someone is using Gmail to register to avoid the 'alias' trick. Perhaps that mod that I mentioned, has this feature too (I don't know).

4
Everything else / Re: Message to Rejetto: forum's email is broken
« on: August 06, 2024, 02:26:55 AM »
it should be fixed now.
Yes, I confirm that now it works... :)

works as expected, bots will be able to have fun again
To avoid bots, according to forum's documentation, "the most efficient anti-spam method provided by SMF" by default, without having to install any -Mod- (modification), is enabling "Verification Questions". I've read that adding three simple (but not so obvious) questions stops most bots. I highly recommend adding this to relieve Mars's task of cleaning the forum. 8)

5
Everything else / Message to Rejetto: forum's email is broken
« on: July 24, 2024, 12:08:26 AM »
Hi!, this is a message to Rejetto. :) I have his email, but I don't want to bother him with this, so I use this space to report that the forum's email system is completely broken. The forum system DOES NOT send any email. This means the following:

- Users doesn't get notifications of new 'Private Messages', neither of emails sent through the forum.
- Users doesn't get notifications of new posts, in case they were subscribed to get email notifications.

- New users can't signup/register, since they can't get the verification link, sent by the forum via email.

» Summarizing: any email sent through the forum, is lost and never sent...

Since this forum is using "OVH Web Hosting", perhaps the following link helps you:
https://help.ovhcloud.com/csm?id=kb_article_view&sysparm_article=KB0052915

@Rejetto: I hope you can fix it, but there is no pressure on doing it.
Take the time you need, but please don't forget about it. ;)
Thank you, and sorry for opening this thread.

Cheers,
Leo.-

6
HFS ~ HTTP File Server / Warning: HFS v2.x has a severe vulnerability
« on: July 22, 2024, 08:16:08 PM »
Hi everyone! This is a notice to all the users of HFS version 2.x (I will call it 'HFS2' for making it short). Recently, a severe vulnerability (CVE-2024-23692) was found in HFS2 (known to affect HFS v2.4.0 RC7 and HFS v2.3m). This information was kept private until now, to give it time to find a solution, but now I think it's time to make this notice public. This is only an informational message to let everyone know about this. Anyone with Pascal/Delphi knowledge could contribute to finding a fix.

We are discussing how to patch it, here:
https://github.com/drapid/hfs/issues/3

You could contribute by submitting code fixes to the source code, either on GitHub or here in the appropriate forum section: Programmers corner (opening a new thread there or leaving a comment here on this very same thread). If we find a correct fix (and since Rejetto will not update HFS2 anymore), perhaps we can build an unofficial "community" version for those who can't upgrade to HFS3.

Let's keep HFS v2.x alive, and...
...please do not panic. ;)

Stay safe,
Leo.-

7
Everything else / Re: Webd, similar to HFS, only 90KB
« on: July 11, 2024, 05:10:45 PM »
May I ask why you don't have enough free time?
The answer is simple: life is very uneven where I live, and it can be tough for those who are not lucky to have a great job. Having 2 or more jobs to survive is something normal here, that's why there is no free time. And programming isn't my source of income (I've studied programming many years ago, but in the end I dedicated myself to something else). Now I have a hobbyist approach to programming.

By the way, even replying messages like this, here on this forum, consumes too much of my free spare time. That's why I don't like chit-chatting about trivial matters, but only contributing to things that are useful to others. Please keep it that way. It's best that we keep this forum thread open, so that others can leave their opinion about your program (Webd) in the future, instead of continuing to undermine it with personal conversations, and it would be great if you could contribute in any way to the progress of HFS. :)

It's time for me to get back to work,
until next time, goodbye...
Leo.-


8
Everything else / Re: Webd, similar to HFS, only 90KB
« on: July 09, 2024, 08:32:10 PM »
I'm not discouraged by your message, just the data tell the truth.
Keep in mind that it could take several years before a software gets wider usage. HFS needed 10 to 20 years to get on the position is today. It's not something that happens overnight, no matter how much you want to promote it. Too much promotion, could even be counterproductive, since it might look as something negative for some users. Adding advertisement to software is something that also scare off users, especially in English-speaking countries.

Now days, people rather to use web app. Less and less people still use PC.
Yes, that's true. And those who use PC and run a permanent web server, will probably look for something more powerful/robust to handle a lot of traffic/users (concurrent connections), and they might already use Nginx, Apache, Lighttpd, LiteSpeed Web Server or similar (since they could be computer experts). People in the know are not afraid of using complex software. Personally, although I have some advanced computer knowledge, I always try to keep things simple. That's why I love HFS, because it can be very simple to use, but also very complex if needed.

I don't known why Webd is very popular only in my native language world
If I'm not mistaken, you are from China, and people from there are smarter/intelligent (more geeky persons, open to test new technologies), than in English-speaking countries. There you all could be more comfortable to seeing advertisements than here too. That could be the reason why Webd is very popular there. I have a big respect (and admiration) for people from your country, but you should know that not everyone here have the same concept of your country (the world is very divided today). I do not get carried away by what others say, I evaluate and value people, I do not follow pre-established precepts. However, I am always very cautious when trying new software, no matter what country it comes from (and I like privacy-friendly software).

And even worse I don't have much friends  :'(
I also don't have too many friends (I prefer quality friends, to quantity of semi-acquaintances), but you can count on me to help you out, on whatever is possible to me, given my very limited free time. I always try to be active on this forum, helping people who need something (you can find me here and also on Twitter). Well, I have nothing more to say, I hope other users here can leave their opinion about your program.

Rejetto (the author of HFS) would like if you try his new HFS3, and leave your opinion about it. ;)

Wish you all the best,
Leo.-

9
Everything else / Re: Webd, similar to HFS, only 90KB
« on: July 08, 2024, 03:52:45 AM »
Did you run it unprivileged?
I've run Webd with administrator rights (my mistake). But I could have bad luck with my graphic card, and it might be a mere coincidence that was testing your software. Please don't feel bad. :-[

I think I won't give much time on apps like webd any more, It not worth it.
Please don't feel discouraged by my message.

» To tell the true, I was a little paranoid, because lately there are too many people attacking old HFS versions (v2.3m and v2.4), like if they were doing on purpose, to discourage others running local home servers. I know this is totally unrelated, but it's to give you some context about my last message.

If you have some friends with Delphi/Pascal knowledge, you can tell them to give a hand to find a solution to this vulnerability (CVE-2024-23692), which is explained here: https://github.com/drapid/HFS/issues/3

You can still be a hero here... :D

10
Everything else / Re: Webd, similar to HFS, only 90KB
« on: July 08, 2024, 01:28:36 AM »
I will test Webd this weekend.
I have some bad news, :( but please don't panic. After testing "Webd", HTTP Web Server (webd.cf/webd), everything seems to be fine (at least, at first sight it works), but when I've analyzed with an "online antivirus" (which does a sandbox analysis), the results were not so good. I've thought it was only a 'false positive', but 24hs later of testing 'Webd', my graphics card suddenly died (nothing really important, since I've tested this on an unimportant PC), but I can't be 100% sure if this was a mere coincidence or not.

After all, according to the sandbox analysis, this software has too many 'Suspicious Indicators', one of them is having driver access ("Contains ability to start/interact with device drivers"). So, I wouldn't take the chance of run this again (at least not directly on hardware, but using a 'Virtual Machine'). The lesson was learned. I always try to trust the programmer behind a software, but when things go wrong (for whatever reason), this trust is lost, and then it's very hard to recover.

I'm commenting this to the rest of the forum community, to make you all aware about the possible consequences of running this software, and how it was my personal experience with it (only as an informational note). Please don't take this as a final verdict about 'Webd'. Anyone is free to do what think it's best, but I can't recommend this software to anyone, unless you take the risks. The report generated by "Falcon Sandbox" @ Hybrid Analysis, says:

"Malicious"
Threat Score: 50/100
AV Detection: Marked as clean
(See the complete report here)

Since antivirus detection "marked it as clean", you have the final choice to run it or not, and determine if it's really safe to run. That's why I always prefer 'open source' apps, to be able to analyze the software activity directly from the source code (in case it's needed). Well, that's it. I hope you don't get angry with me for saying this. I always try to be friendly and help others (I have a long history on this forum), that's why I must leave this warning notice.

Stay safe,
Leo.-

11
Everything else / Re: Webd, similar to HFS, only 90KB
« on: July 06, 2024, 10:36:24 AM »
I think you're curious for what I'm using to build the whole bunch of binaries for all kinds of platforms.
Yes, my curiosity was because it was multi-platform. Now I see that you have put a lot of dedication and work into compiling your software for multiple platforms, congratulations. That's the good thing of writing applications in C language: portability (being a platform-independent language). I will test Webd this weekend.

12
Everything else / Re: Webd, similar to HFS, only 90KB
« on: July 04, 2024, 10:20:44 PM »
This is what ChatGPT said about webd
The description is perfect (it was a good idea using ChatGPT).

All compiled using a single Makefile
Since there are plenty of C compilers available online (GCC, TCC, MinGW, LLVM, Clang, etc), would you please leave a download link for the C compiler you use to compile WebD?. I'm just asking out of curiosity, to learn new things (I'm not afraid of visiting websites in other languages, since I can use a translator).

By doing this, you will soon be able to post direct links on the forum. ;)

13
Everything else / Re: Webd, similar to HFS, only 90KB
« on: July 03, 2024, 04:58:46 AM »
Thanks a lot for telling me all that.
You welcome. :)

I'm not sure whether to open source it. Currently, at the bottom of the file list on the web interface, there might be an inconspicuous line of text advertising or other information. If it's open-sourced, this will definitely be recompiled and removed, or even changed to someone else's advertisement and redistributed.
That's understandable. I hope the advertisements goes well for you, I wish you success. If at any point you decide to abandon or discontinue developing the software, keep in mind to open source it, so that someone else can continue improving it. Anyway, in this part of the world where I live (as you say the "english-speaking world"), most people here are very lazy, so even they having the source code, will do nothing. For example, HFS (this forum is about that software), is open source and almost -nobody- collaborates contributing with enhancements.

I am considering applying the TLS/1.3 code to a new project, such as a chat server similar to webd, because using WebRTC for audio and video calls requires HTTPS support.
It sounds very interesting, I hope it's also lightweight.

14
Everything else / Re: Webd, similar to HFS, only 90KB
« on: June 30, 2024, 04:04:36 AM »
No one interested?
Hi!, thanks for sharing this. I haven't tested (since don't have enough free time right now), but it seems nice by looking the screenshots. You are lucky that I'm active on this forum to leave you a reply. If it's your app, you must know it takes some time a software to get popular and gain trust ("Webd" seems to be a relative new freeware). To my own taste, I always prefer 'Open Source' software, since to run a closed software server, there are many alternatives. If "Webd" gets open source, I'm sure popularity will surely increase. Suggestions: besides running on multiple platforms, the website doesn't say which is the minimum Windows version required (that something useful to know), and it has a typo in the title, since "shareing" is not an English word (it should be "sharing"). It would be cool if support for SSL/HTTPS is added, although file size will be bigger.

15
Everything else / Re: Something about me...
« on: May 12, 2024, 09:58:05 PM »
hey Leo, i've not being receiving notifications from the forum and I just saw your post now.
Yes, I noticed the 'email notification system' is broken on the forum. Nothing to worry, but I hope you can fix it (if you haven't done it yet), since it's a very useful feature (not only to receive notifications by email of subscribed threads, but also about new private messages).

You are moving outside the country?
:-\ Eventually, yes (as a last resort option), it's my wish to move out of my country, but it could probably take some time, since moving to another house, even in the same country, is something very frustrating and not an easy task. I like Uruguay, since it's near to Argentina, and it's a much more stable country (I lived there some time, and I liked very much, but I'm also analyzing other options too).

For those reading this, and to make a long story short: I was earning $2.000 USD monthly back in 2012-2014 (and life was *very* good, compared to current life), but ten years later (having the very same job), my earnings only represent (in local currency) nearly $200 USD now (salaries were stuck for years, and high inflation rates did the rest). This wouldn't be bad at all, if the prices were according to salaries, but here the food has now European prices (especially in the last few months).

I'm truly sorry to read such bad news :(
I hope you will find some love soon, but until then you may consider sharing expenses with someone else. I did so for a few years.
Thank you. I truly appreciate your comment, advice and good wishes. :)
I hope my next message here is to share good news...
(I always try to stay positive)

Pages: 1 2 3 ... 57