rejetto forum

Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.


Messages - Mars

Pages: 1 2 3 ... 135
1
HFS ~ HTTP File Server / Re: Warning: HFS v2.x has a severe vulnerability
« on: October 06, 2024, 06:10:59 PM »
Hello to both of you, even if I am not involved in HFS3 which for me represents a completely different project from HFS2.x, I keep an eye on the possible changes to be made to the latter.

With some similar approaches I did not arrive at a satisfactory result, there are indeed not only the urlvars to control but also the recursion of the attack used by using %url%, it is also necessary to take into account the postvars and as said rejecto the attacks by headers

I looked into a more restrictive use of the EXE macro, by limiting the programs to launch to those contained exclusively in a subdirectory of HFS, but I do not manage the %url% in the state in loop

Quote
  procedure exec_();
  var
    s: string;
    code: cardinal;
  begin

  if not fileExists(exepath+'exec\'+extractFileName(macroDequote(p))) then
    begin
      pars.clear();
      result:='';
      mainfrm.add2log('DISCONNECTED'+CRLF+exepath+'exec\'+extractFileName(macroDequote(p)));
      disconnect();
      exit;
    end;

  s:=macroDequote(par(1));
  if fileOrDirExists(s) then
    s:=quoteIfAnyChar(' ', s)
  else
    if unnamedPars < 2 then
      s:='';
  if parExist(['out']) or parExist(['timeout']) or parExist(['exit code']) then
    try
      spaceIf(captureExec(macroDequote(p)+nonEmptyConcat(' ', s), s, code, parF('timeout',2)));
      try setVar(parEx('exit code'), intToStr(code)) except end;
      setVar(parEx('out'), s);
    except end
  else
    spaceIf(exec(macroDequote(p), s))
  end; // exec_

put the file calc.exe (to test) inside a new exec\ subdir and use macro {.exec|calc.exe.} ,  bad syntax without extension  {.exec|calc.} is stopped

This is a safe and absolute start for those who do not leave an executable in the exec\ directory.

What a hacker doesn't know about available resources is an obstacle to hacking.

2
Everything else / Re: Message to Rejetto: forum's email is broken
« on: August 05, 2024, 11:19:54 PM »

works as expected, bots will be able to have fun again

 :o

4
HFS ~ HTTP File Server / Re: HFS including SSl tools
« on: January 15, 2024, 09:13:31 PM »
Unless you are on 32-bit Windows, you can replace stunnel included in hfs with the latest 64 bits version available for loading there

https://www.stunnel.org/downloads.html

5
HFS versions 2.3 and 2.4 will no longer evolve, the VFS recording format cannot be modified in order to maintain compatibility between these versions

a new HFS 3.0 development has been implemented by rejecto by following this link
https://rejetto.com/forum/index.php?board=46.0

6
your HFS works correctly, access via your external IP is viable, I was able to verify it by using it directly 

rather than using the DNS address from your smartphone, carry out the manipulation using the external IP that your HFS can obtain from Menu->Ip address->Find external address

Don't give your IP here, rejetto and I already have it in your profile

7
This is the only method that comes to mind, and I hope that it will solve your problem of loss of VFS  ;)

switch to expert mode (key F5)
select Menu>Save options to file,  and activate  Menu>Auto-save Options

in Menu>Virtual File System , choice Backup on Save   and  Autosave every: enter 900 (= every 15mn) or more

Menu>Others options> Edit Event Script... (ALT+F6)

put this content in hfs.events and save it in the hfs.exe folder
Code: [Select]
[server start]
{.if|{.{.filesize|hfs.vfs.}<255.}|
{:{.add to log|Empty VFS detected.}
  {.if|{.exists|hfs.vfs.bak.}|
{:{.add to log| VFS backup found.}
  {.delete|hfs.vfs.}
  {.copy|hfs.vfs.bak|hfs.vfs.}
  {.add to log| previous VFS restored and loaded.}
:}|{:{.add to log| VFS backup not found.}:}
/if.}:}
|{:{.add to log|VFS seems good.}:}
/if.}

this script tests if the size of the vfs is less than a certain value (255 to be reduced if necessary) and in this case restores the backup, every time  the server is SWITCHING ON ( not possible only when hfs is launched), allowing a functional VFS to be found

verify  in windows registry if not exist those keys  else delete them
HKEY_CURRENT_USER\Software\rejetto  and  HKEY_LOCAL_MACHINE\Software\rejetto

8
HFS ~ HTTP File Server / Re: HFS including SSl tools
« on: March 16, 2023, 10:31:21 PM »
No there will be no new version beyond the one already available in 2.x
a new project supporting https is already available in this topic
https://rejetto.com/forum/index.php?topic=13506.msg1067143#msg1067143

9
Bug reports / Re: False errors on upload
« on: January 26, 2023, 10:15:57 PM »
so it looks like this folder is visible in the VFS, since you changed the access properties there

try to go to the diff template tab and you can place a customization of the upload results there by adding this section

Code: [Select]
[+upload-success]
{.add to log|{.filename|%item-resource%.}=uploaded by {.if|{.length|%user%.}|%user%|Anonymous /if.}./add to log.}

10
HFS ~ HTTP File Server / Re: Rejetto HFS file server alternative?
« on: November 15, 2022, 03:44:12 PM »
Why shouldn't you wake a sleeping cat?
Cats who are deprived of these stages of sleep can become lethargic or irritable, it is therefore better to avoid waking them up as much as possible

and I must say that taking care of an awakened Fysack is not easy  ;D ;D ;D

11
Programmers corner / Re: Only one thing that wasn't released about HFS...
« on: October 25, 2022, 07:23:04 PM »
the procedure to reproduce in php seems to be the following

php receives a request from hfs in this format

Code: [Select]
http://hfstest.rejetto.com/?port={external_port}&host={external_ip|dns_name}&natted={no|yes}this should generate a new request using a second channel  from php to hfs on the url of the form

Code: [Select]
http://%host%:%port%/test
if hfs is indeed accessible from the web with this url then it sends as response to php the text 'HFS OK'

from then on the php returns a text by the first channel with '1' as the correct functioning response, otherwise an empty string in the event of an error


*************************************

technically it is possible to simulate this exchange using two hfs sessions and forcing a redirection from hfstest.rejetto.com to a local ip in the windows 'hosts' file by adding this line

127.0.0.1 hfstest.rejetto.com

the server must appear as the php must be launched to listen to it on port 80 and active on 'Any Address'

in the root put  as diff template
[]
1


launch another session of hfs listening on any port other than 80, then launch the "self test", the response obtained will be positively successful

you can also perform this experiment by replacing the localhost address with the local ip (192.168.1.xxx)

If we also use the 'self test' of the hfs of port 80 as a self test, the response will also be positive with 127.0.0.1 , but no response with 192.168.1.xxx

12
HFS ~ HTTP File Server / Re: Why file system cleared?
« on: October 05, 2022, 07:06:04 AM »
the track seems unreliable, the system attributes are not sufficient to prevent a program other than hfs from accessing the VFS file.

I don't see any other solution as it stands than managing a copy of the vfs outside of hfs.

an important thing is to always activate "backup on save" in "Menu > Virtual File System" in order to keep a valid copy

13
HFS ~ HTTP File Server / Re: Why file system cleared?
« on: September 28, 2022, 07:19:57 PM »
for once it would have been necessary to note the date of creation of the empty vfs file, to determine if it was a new file created as part of a data backup or if there was loss of the complete file with recreation of a new but virgin,
this date could also have been compared with the log of windows application and system events and allowed to have an idea of ​​the cause of this phenomenon.

To tell the truth, this seems to be a fairly exceptional phenomenon over time, if it were more often recurrent, we could consider an in-depth study to try to reproduce it. At this stage it is wiser to make backups at regular intervals

the subject remains open to follow-up in the event of a shorter recurrence

by HFS scripts it is certainly possible to test the size of the current vfs and in the event of an incident to restore the last backup without the administrator having to intervene too late while issuing an alert to this one in the form of an email or other means of communication available from the server

we can test the existence of a hidden virtual file in the vfs as a reference point, and if this one disappears this means that the vfs had a problem, hfs can then react accordingly

14
A forgotten event appeared while extending the legacy tests

we start from a real folder added to the VFS (we make sure that it does not inherit the upload itself), we assign it the upload rights by checking anyone,
we then add a new virtual folder as a child, we can confirm that the upload is not possible for this child.

To this virtual child if we also add a real folder: named UPLOAD HFS
it then appears a dialog box asking us whether or not we want to authorize the inheritance upload for this 'grandchild' for all, in this case anyone will be checked for this folder otherwise he will still benefit from the rights of upload successive parents.

After verification, it is implemented that any folder name containing the word upload brings up the question

15
virtual folders do not have permission to perform uploads, only real folders mounted in the VFS have this possibility

if the subfolder is a physical child on the hard disk of the uploaded folder, it will have the same rights as its parent, on the other hand if the two directories are neither parent of one nor parent of the other, it is possible to mount the 2nd as a child of the first in the VFS as actual directories (red folder icons) and individually assign the necessary permissions but it does seem like the inheritance persists, a solution to invalidate it is to put a filter mask for the upload of the sub-directory in the files mask tab, put \*.* in the upload field ( which means none matching the mask *.*)


this will not prevent the user from being able to send a file, but hfs will refuse to save it


the solution that can be adopted is to create an account named for example "noupload" protected by a password not found with special characters

we configure the parent to authorize the upload to any authorized person, then for the subfolder we only authorize the upload for the "noupload" account, this deactivates parental inheritance and the upload button will not appear, for remote maintenance needs, we can also authorize the upload for the account that manages the server in addition to the right to delete the subfolder

I remind you that the child must not be a direct subdirectory of the parent on the disk, although theoretically it could work indirectly
I see that it is the exact suggestion from rejetto above

Pages: 1 2 3 ... 135