Recent Posts

1

HFS ~ HTTP File Server / Re: Warning: HFS v2.x has a severe vulnerability, Patched 2.3K

« Last post by LeoNeeson on Today at 07:25:35 AM »

Thanks to Leo for help in bypassing the always-on limiters, and this prevents freezes.

Thanks to Leo for updated code that blocks hfs-specific attack, in the .exe, without reliance on any particular template.

Thanks, Danny, for the acknowledgment, I appreciate it.

My only contribution was two small code tweaks, which I’ve shared here in case anyone is interested in reviewing or using them.

Keep up the good work!
Cheers,
Leo.-

2

Programmers corner / Code tweaks for HFS 2.3 users

« Last post by LeoNeeson on Today at 07:24:24 AM »

Hello everyone!

One of the pillars of open source software is, without a doubt, promoting transparency — the ability to compile the source code yourself (along with verifying its security and understand its functionality). This becomes even more important when we're talking about an HTTP file server. That's why, whenever I collaborate on something, I always try to make my contributions public.

In this case, I want to publicly thank Danny, who recently shared his own customized version of HFS in this thread. I haven't reviewed his changes in depth — I've only briefly tested his version — but I did help him with two small improvements that I’m sharing here in case anyone finds them useful.

Thanks to Leo for help in bypassing the always-on limiters, and this prevents freezes.

That specific tweak is simply the following code (Danny is using an older build: HFS 2.3k, but it's the same and could be used on other versions as well). Personally, I haven’t been able to reproduce any issues that this is supposed to fix, but technically the change should have a positive effect.

The following is a portion of 'main.pas' in 'hfs2.3m.src.zip'
Add the line marked in red, after line 5061 in 'main.pas'

  with objByIp(data.address) do
    begin
    if speedLimitIP < 0 then limiter.maxSpeed:=MAXINT
    else limiter.maxSpeed:=round(speedLimitIP*1000);
    if limiter.maxSpeed < MAXINT then
    if conn.limiters.indexOf(limiter) < 0 then
      conn.limiters.add(limiter);
    end;

Thanks to Leo for updated code that blocks hfs-specific attack, in the .exe, without reliance on any particular template.

This change is simple: it bans the IP of any user attempting to execute a macro via the URL (which is the cause of the vulnerability described in this other thread), even though a similar IP ban could already be implemented using macros in a template. Personally, I think this may not be very effective nowadays, since many ISPs assign dynamic IPs (often even changing the subnet), or because proxies can bypass this entirely. Still, it’s one more layer of protection that might interest some users.

The following is a portion of 'main.pas' in 'hfs2.3m.src.zip'
Add all these lines, around line 5091 in 'main.pas'

Code: [Select]

  if anyMacroMarkerIn(conn.request.full) then
    begin
    data.disconnectReason := 'Possible security threat';
    add2log('Hack attempt blocked: '+ansiToUTF8(conn.request.url));
    getPage('ban', data);
    conn.reply.mode := HRM_DENY;
    if not isBanned(conn.address, data.banReason) then
      begin
        i := length(banlist);
        setlength(banlist, i+1);
        banlist[i].ip := conn.address;
        banlist[i].comment := data.disconnectReason;
      end;
    exit;
    end;
These were my only two contributions. The rest of the build reflects Danny’s personal choices and ideas.


Anyone is free to compile HFS (there are many users who have already done it), and if you're not sure how, you can check out the tutorial here. That’s all for now. I'm closing this topic since its purpose was simply to share this. If I ever need to add something else, I’ll ask a moderator to reopen it.

Cheers, 
Leo.-

3

HFS ~ HTTP File Server / Re: Warning: HFS v2.x has a severe vulnerability, Patched 2.3K

« Last post by danny on July 11, 2025, 10:06:03 PM »

Speedup: 
locate hfs23-K-patched3.zip and you can test it out. 
http://software.run.place
It is running that same copy of HFS2.3K, with the macros on.

Thanks to Leo for help in bypassing the always-on limiters, and this prevents freezes.  Also, I raised the console TTL so the UI stays responsive. 

 Edit:  For round 3:  Thanks to Leo for updated code that blocks hfs-specific attack, in the .exe, without reliance on any particular template.  So, you can use any template that you want to.
 
Included in the zip file is now the legacy default template for HFS2.3M, Leo's portable edition (jquery is aboard the template), and I have altered it slightly, so it can run well on the security-patched edition of HFS2.3K.  There is the unicode font added to the stylesheet, some necessary size adjustment, and it does not overwork the system icon code.

4

HFS ~ HTTP File Server / Re: Warning: HFS v2.x has a severe vulnerability, Patched 2.3K

« Last post by danny on July 09, 2025, 12:30:32 AM »

For patched version of HFS2.3K, I've added many layers of defense. . . and *Might have solved/reduced the gigabit freeze problem. 
http://software.run.place
locate hfs23-K-patched.zip and you can test it out. 
The site to download it, is running that same copy of HFS2.3K, with the macros on. 

5

HTML & templates / Re: Stripes, the template for simple and easy. Updated for security.

« Last post by danny on July 05, 2025, 08:25:59 AM »

There is a vulnerability in HFS 2.3 and 2.4 that allows remote code execution if 'macro' feature is on.  So...

Stripes 5 shuts off macros at first run, to secure.
Stripes 5 is designed to run without macros.
HFS 2.3 doesn't require macros for login.

6

HTML & templates / Re: The Throwback (retro) template. Updated. Security patch edition

« Last post by danny on July 05, 2025, 07:00:03 AM »

The new files are available at Post#1

There is a vulnerability in HFS 2.3 and 2.4 that allows remote code execution if 'macro' feature is on.  So...

Throwback 15 shuts off macros at first run, to secure.
Throwback 15 is designed to run without macros. 
HFS 2.3 doesn't require macros for login.

7

HFS ~ HTTP File Server / Re: HFS v2.x severe vulnerability patched

« Last post by LeoNeeson on July 03, 2025, 10:06:47 AM »

Hi Leo!  Thanks for the reply.  Thanks for the compiling guide! 

Patched edition available at http://software.run.place
Macros are disabled.  New Throwback15 template added.

Is there a way to do New Folder with macros off?

Hey Danny! It's nice you did your custom version. I'm glad you liked and found my guide to compiling HFS helpful. The following message below is what I wrote yesterday before going to sleep (replying your original message), which I'll leave here anyway...

Hi Leo!  Thanks for the reply. 

Is it possible to get a patched copy of HFS 2.3K, 2.3L or even 2.3M?
The "K" and "L" withstand gigabit slightly better than the "M" version.
However, I don&#39;t need 2.4 because it locks up under gigabit load.

So, file download location of patched HFS 2.3 ?

• Officially, there isn't a "patched" version of ANY version of the whole version 2 (since Rejetto, is now focused on the new version 3), nor do I have any (personal) version ready to share (if I had it, I would gladly share it, but I still have nothing ready).
• Unofficially, anyone can compile HFS from the source code and modify it to avoid this vulnerability. You'd need a copy of 'Turbo Delphi' or some later version, though. You can check my tutorial "How to compile HFS" if you wish.
  

Sadly, I don't have the time to continue with this anymore, at least for the foreseeable future. I only have like 10 or 20 minutes a day to reply to messages, and programming just takes up way too much time – time I don't have right now. It's not a lack of motivation, but circumstances beyond my control (my parents' health), that are keeping me from continue working on this. I just can't give you any date on when I'll have free time again to get back to this, but don't lose hope!. And thanks for your hosting offer, I appreciate it.

You can try some of the other 'code change' suggestions I've left on this thread (if you want to compile the source code yourself, but you will be on your own with this), or, even better, use another "fork" (unofficial version) of HFS, like any of the options described in this thread. But, what version you choose is totally up to you. The easiest option right now is to just stick with any -official- HFS version 2 (preferably the latest), with macros disabled for now. Or, you could always upgrade to HFS 3 to make Rejetto happy!

8

HFS ~ HTTP File Server / HFS v2.x severe vulnerability patched

« Last post by danny on July 02, 2025, 04:30:29 PM »

Hi Leo!  Thanks for the reply.  Thanks for the compiling guide! 

Patched edition available at http://software.run.place
Macros are disabled.  New Throwback15 template added.

Is there a way to do New Folder with macros off? 

9

HFS ~ HTTP File Server / Re: Warning: HFS v2.x has a severe vulnerability possible fix?

« Last post by LeoNeeson on July 02, 2025, 04:06:46 PM »

in hfs.events (alt+f6)

Code: [Select]

[+request]
{.if|{.match|*filter=*.chr*;*search=*.chr*;*filter=*.save*;*search=*.save*;*filter=*.section*;*search=*.section*;*filter=*.break*;*search=*.break*;*filter=*.move*;*search=*.move*;*filter=*.set*;*search=*.set*;*filter=*_host_*;*search=*_host_*;*filter=*%host%*;*search=*%host%*;*filter=*.exec*;*search=*.exec*;*.exec*;*%host%*;*_host_*;*.chr*;*.exe*;*.bat*;*.ps*;*.com*;*.php*;*.py*;*.vbs*|%url%.}|{:{.disconnect.}{.add to log|%ip% %user% IS DENIED.}:}.}

Is that a good approach?  And, if so, how much of that filter is actually needed?  Thanks!!!

Hey Danny, good to see you again!

Unfortunately, none of those filters are going to stop this vulnerability, and they're not really useful in this specific situation. You can use them if you want, but they won't do anything to prevent this.

The only two ways to deal with this vulnerability at the moment are:

• For users, the easiest thing to do is just disable macros and use a template that doesn't use them.
  
• For programmers, the other option is recompiling the executable (after fixing the function that allow this vulnerability).
  

- To disable macros, follow these steps, described HERE.
- Then, you can use a template like these, found HERE.
(That should keep you safe from the vulnerability!)

That’s all we've got for now. Hope it helps!

Cheers,
Leo.-

10

HFS ~ HTTP File Server / Re: Warning: HFS v2.x has a severe vulnerability possible fix?

« Last post by danny on June 29, 2025, 09:36:35 PM »

Edit:  Here is an approach with Auto-Ban.   This will not catch everything--keep scrolling, several posts further down.
in hfs.events (alt+f6)

Code: [Select]

[+request]
{.if|{.match|*filter=*.exec*;*search=*.exec*;*.exec*;*%host%*;*_host_*;*cmd.exe*;*&cmd=*;*powershell+*;*/wp-includes/*|%url%.}|{:
{.set|n|{.from table|#tries|%ip%.}.}{.inc|n.}{.set table|#tries|%ip%={.^n.}.}
{.if|{.{.^n.} > 0.}|{:
{.set ini|ban-list={.no pipe|{.from table|#ini|ban-list.}%ip%#AutoBan {.time.}.}.}{.set table|#tries|%ip%=0.}
:}/if.}
{.disconnect.}{.add to log|%ip% %user% BANNED FOR POSSIBLE SECURITY THREAT.}:}.}Note:  This is possibly useful in combination with the TINYWALL firewall project, an egress blocking firewall, whereby you'd let through (allow) your web browser, HFS (possibly unblock lan), and very little else.  Newer version or there is also older version (for older server).