rejetto forum

Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.


Messages - Mars

Pages: 1 2 3 ... 134
1
HFS ~ HTTP File Server / Re: Why file system cleared?
« on: September 28, 2022, 07:19:57 PM »
for once it would have been necessary to note the date of creation of the empty vfs file, to determine if it was a new file created as part of a data backup or if there was loss of the complete file with recreation of a new but virgin,
this date could also have been compared with the log of windows application and system events and allowed to have an idea of ​​the cause of this phenomenon.

To tell the truth, this seems to be a fairly exceptional phenomenon over time, if it were more often recurrent, we could consider an in-depth study to try to reproduce it. At this stage it is wiser to make backups at regular intervals

the subject remains open to follow-up in the event of a shorter recurrence

by HFS scripts it is certainly possible to test the size of the current vfs and in the event of an incident to restore the last backup without the administrator having to intervene too late while issuing an alert to this one in the form of an email or other means of communication available from the server

we can test the existence of a hidden virtual file in the vfs as a reference point, and if this one disappears this means that the vfs had a problem, hfs can then react accordingly

2
A forgotten event appeared while extending the legacy tests

we start from a real folder added to the VFS (we make sure that it does not inherit the upload itself), we assign it the upload rights by checking anyone,
we then add a new virtual folder as a child, we can confirm that the upload is not possible for this child.

To this virtual child if we also add a real folder: named UPLOAD HFS
it then appears a dialog box asking us whether or not we want to authorize the inheritance upload for this 'grandchild' for all, in this case anyone will be checked for this folder otherwise he will still benefit from the rights of upload successive parents.

After verification, it is implemented that any folder name containing the word upload brings up the question

3
virtual folders do not have permission to perform uploads, only real folders mounted in the VFS have this possibility

if the subfolder is a physical child on the hard disk of the uploaded folder, it will have the same rights as its parent, on the other hand if the two directories are neither parent of one nor parent of the other, it is possible to mount the 2nd as a child of the first in the VFS as actual directories (red folder icons) and individually assign the necessary permissions but it does seem like the inheritance persists, a solution to invalidate it is to put a filter mask for the upload of the sub-directory in the files mask tab, put \*.* in the upload field ( which means none matching the mask *.*)


this will not prevent the user from being able to send a file, but hfs will refuse to save it


the solution that can be adopted is to create an account named for example "noupload" protected by a password not found with special characters

we configure the parent to authorize the upload to any authorized person, then for the subfolder we only authorize the upload for the "noupload" account, this deactivates parental inheritance and the upload button will not appear, for remote maintenance needs, we can also authorize the upload for the account that manages the server in addition to the right to delete the subfolder

I remind you that the child must not be a direct subdirectory of the parent on the disk, although theoretically it could work indirectly
I see that it is the exact suggestion from rejetto above

4
Everything else / Re: Massive amounts of users registering accounts
« on: July 17, 2022, 03:31:20 PM »
Hi guys

there are indeed periods when there is an upsurge in the creation of unwanted accounts (normally about thirty per day) with peaks beyond 200 per day, a large majority is blocked by the antispam module but some manage to pass through when they have not been registered in the Stop Forum Spam database. Daily I report non-compliant profiles which causes them to be classified as unwanted until the Boss purges the list, it's a way for me to continue to participate on the forum after a long cooperation on development of HFS under Delphi to the use of javascript.

The forum would need to  to increase security against bots by a more complex registration system with catpcha imposing double verification either by using a HoneyPot and Time measuring, or a logical or mathematical textual test.

Usually when new subscribers fill out their signature or Personal Text, including promotional web links before posting a single message, it's a bad sign.

Some temporary domain names are being misused, ban filtering of these domains would most certainly reduce this influx of registrations every minute


5
Everything else / Re: Let things calm down
« on: April 29, 2022, 08:12:00 PM »
The problem is that when the address of a target is known to a hacker, there is little chance that it will not be tested. From Rom_1983's point of view, nothing accuses you, but given the suspicion that you are under surveillance, it suggests that these attacks are indirectly linked to your Python scripts.The problem is that when the address of a target is known to a hacker, there is little chance that it will not be tested. From Rom_1983's point of view, nothing accuses you, but given the suspicion that you are under surveillance, it suggests that these attacks can be indirectly linked to your Python scripts.

It should also be remembered that all messages with their content containing links to personal sites are visible to any visitor who is not logged in, so do not be surprised to be potentially the victim of unwanted visits.

If we hear most often about big brother and its eavesdropping through the NSA, we should not forget that other major countries are not behind in this area either and are increasingly trying to manipulate the opinion, it is therefore logical to remain suspicious of them as long as it is not possible to verify the information by means of sources not subject to the directives of these governments








7
HFS ~ HTTP File Server / Re: Request login/password but accept any
« on: December 17, 2021, 05:00:45 PM »
From memory I don't think that's possible, unless you create a form yourself to manage the identification, under the conditions you want, you just need to redirect to the resource (possibly hidden) including the login and password assigned to him

8
Bug reports / Re: Possible vulnerability
« on: December 11, 2021, 09:46:00 PM »
if you are using one of the latest versions the remote use of macros by a user using a url is automatically detected and made harmless.
https://rejetto.com/forum/index.php?topic=11758.msg1061386#msg1061386

the other vulnerability exploit that was resolved quickly was the null byte injection
https://rejetto.com/forum/index.php?topic=11619.msg1064421#msg1064421

I can no longer remember where and in what way these two types of attack are detected in the sources of hfs but it is certain that if your version is up to date there is no more risk when a remote user performs such attempts

9
it may depend on several factors:
1) make sure that the mobile phone is well connected in wifi on the local network and not on the 3G-4G-5G network, otherwise it is necessary to set up an external routing
2) with HFS in standard mode, the phone browser must be able to display the home page, if necessary try another browser
3) in all circumstances, in the event of problems, use the IP address of the computer on the local network as the connection url and not the DNS name used for external connections

10
HTML & templates / Re: About "hits"
« on: October 17, 2021, 12:56:00 AM »
attach your hfs.tpl in a new post

11
Bug reports / Re: False errors on upload
« on: September 17, 2021, 11:15:34 PM »
Appears for one of the following reasons:

when sending each file with the method that was used for it
- the logged in user does not have write rights to upload file in the folder
- the user and the password used do not correspond to a registered account values

12
Everything else / Re: I can't change the website to English.
« on: August 03, 2021, 11:22:27 PM »
just indicate the country in the paypal url before /home as in the examples below

https://www.paypal.com/uk/home

https://www.paypal.com/it/home

https://www.paypal.com/de/home

https://www.paypal.com/es/home

13
HFS ~ HTTP File Server / Re: "username not found"
« on: May 11, 2021, 02:40:22 PM »
"user/password for each folder"  is an old protection technique implemented during the first versions of HFS, it is preferable to use as much as possible the use of accounts

14
if only one particular ip should be able to access the folder, add something similar in the diff template of the folder properties

either by using a forced disconnection
Code: [Select]
[+]
{.if|{.=|%ip%|127.0.0.1.}|{:{.disconnect.}:}.}

or even better by using a redirect which gives the user the impression of an invalid link

Code: [Select]
[+]
{.if|{.=|%ip%|127.0.0.1.}|{:{.redirect|../ .}:}.}


replace 127.0.0.1 by the allowed ip


a more concrete example is to only give access to a specific user without going through permissions

Code: [Select]
[+]
{.if|{.!=|%user%|Tsuna.}|{:{.redirect|../ .}:}.}


note the difference in use between  {.!=|    and  {.=|  , difference or equal usage

15
Programmers corner / Re: Template/events for QOS or traffic shaping.
« on: April 28, 2021, 05:43:39 PM »
Are there some per ip-specific measurements?

no

How to make global variable apply to only 1 ip? 

a variable is defined by its name which can include letters or numbers and preceded by # to become a global variable
just include %ip% in the name

{.set|#flag_%ip%| ....   .}

global variables only exist while hfs is running


Pages: 1 2 3 ... 134