1
HFS ~ HTTP File Server / Re: Warning: HFS v2.x has a severe vulnerability
« on: October 06, 2024, 06:10:59 PM »
Hello to both of you, even if I am not involved in HFS3 which for me represents a completely different project from HFS2.x, I keep an eye on the possible changes to be made to the latter.
With some similar approaches I did not arrive at a satisfactory result, there are indeed not only the urlvars to control but also the recursion of the attack used by using %url%, it is also necessary to take into account the postvars and as said rejecto the attacks by headers
I looked into a more restrictive use of the EXE macro, by limiting the programs to launch to those contained exclusively in a subdirectory of HFS, but I do not manage the %url% in the state in loop
put the file calc.exe (to test) inside a new exec\ subdir and use macro {.exec|calc.exe.} , bad syntax without extension {.exec|calc.} is stopped
This is a safe and absolute start for those who do not leave an executable in the exec\ directory.
What a hacker doesn't know about available resources is an obstacle to hacking.
With some similar approaches I did not arrive at a satisfactory result, there are indeed not only the urlvars to control but also the recursion of the attack used by using %url%, it is also necessary to take into account the postvars and as said rejecto the attacks by headers
I looked into a more restrictive use of the EXE macro, by limiting the programs to launch to those contained exclusively in a subdirectory of HFS, but I do not manage the %url% in the state in loop
Quote
procedure exec_();
var
s: string;
code: cardinal;
begin
if not fileExists(exepath+'exec\'+extractFileName(macroDequote(p))) then
begin
pars.clear();
result:='';
mainfrm.add2log('DISCONNECTED'+CRLF+exepath+'exec\'+extractFileName(macroDequote(p)));
disconnect();
exit;
end;
s:=macroDequote(par(1));
if fileOrDirExists(s) then
s:=quoteIfAnyChar(' ', s)
else
if unnamedPars < 2 then
s:='';
if parExist(['out']) or parExist(['timeout']) or parExist(['exit code']) then
try
spaceIf(captureExec(macroDequote(p)+nonEmptyConcat(' ', s), s, code, parF('timeout',2)));
try setVar(parEx('exit code'), intToStr(code)) except end;
setVar(parEx('out'), s);
except end
else
spaceIf(exec(macroDequote(p), s))
end; // exec_
put the file calc.exe (to test) inside a new exec\ subdir and use macro {.exec|calc.exe.} , bad syntax without extension {.exec|calc.} is stopped
This is a safe and absolute start for those who do not leave an executable in the exec\ directory.
What a hacker doesn't know about available resources is an obstacle to hacking.