rejetto forum

Recent Posts

Pages: 1 2 3 ... 10
1
HFS ~ HTTP File Server / Re: Warning: HFS v2.x has a severe vulnerability
« Last post by LeoNeeson on Today at 06:46:05 AM »
Quote from: rejetto on Yesterday at 10:01:03 AM
that's great, congratulations with your achievement, Leo!
Thanks, it means a lot that you like it, I appreciate it. :) To me, it's like an exercise to dip my toes on Delphi, although there is still a long way to go...

Quote from: rejetto on Yesterday at 10:01:03 AM
you prefer 2.3 over 2.4 ?
Not really, some parts of it only (2.4 has huge improvements), but mainly I'm using 2.3 in my tests because it is much easier for me to build it (using TD2006). And since it was the latest stable version published, it was the version I've used it as example.

Quote from: rejetto on Yesterday at 10:01:03 AM
Is the url the only way to use the vulnerability? Even if the POC of the CVE uses the url, be sure to consider the possibility of the attack coming from a header.
Yes, I know what you mean ('Host' header is not covered, for example), that's why I'm not completely happy with my 'single line' fix (although it works). That's why I'm testing a completely new fix (instead the previous code). See...


ยป Alternative method to stop this macro vulnerability:
Add the line marked in green, after line 5084 in 'main.pas' (v2.3m)

Quote
  runEventScript('pre-filter-request');

  // Check macro leaks, prevent hack attempts
  if anyMacroMarkerIn(conn.request.full) then
  begin
    data.disconnectReason:='Hack attempt blocked. This event has been logged!';
    add2log('Hack attempt blocked: '+ansiToUTF8(conn.request.url));
    getPage('deny', data);
    conn.reply.mode:=HRM_BAD_REQUEST;
    exit;
  end;


It works, but even then, it's just a simple check and stop, not a true 'urlvar' filtering (and I can't be 100% sure if it is enough or if some hacker could think a workaround to bypass this measure). And if the browser asks for the 'favicon.ico' along with the same request, it gets logged as hack attempt too (and I don't like this, and I have to think how to handle it, perhaps with 'urlCmd'). Alternatively, I was thinking of doing a 'stringReplace' of macro markers on 'request.full' at an earlier stage, right on the 'handleHeaderData' procedure (which also works, as second measure), but I don't like this approach, since it could mess with other parts of the code.

Well, I think that's all I will be working with this at the moment, I don't have too much time to go deeper analyzing this, it's only a start for now.
2
HFS ~ HTTP File Server / Re: Warning: HFS v2.x has a severe vulnerability
« Last post by rejetto on Yesterday at 10:01:03 AM »
that's great, congratulations with your achievement, Leo!
i cannot say anything about effectiveness of this fix, but i'm happy if you can find a solution.
Is the url the only way to use the vulnerability? Even if the POC of the CVE uses the url, be sure to consider the possibility of the attack coming from a header.
you prefer 2.3 over 2.4 ?
3
HFS ~ HTTP File Server / Re: Warning: HFS v2.x has a severe vulnerability
« Last post by LeoNeeson on October 02, 2024, 06:36:55 AM »
After spending several hours on last weekend, I'm happy to finally announce that I've come up with a simple (one line) solution to this macro vulnerability. :D

The following is a portion of 'main.pas' in 'hfs2.3m.src.zip'
Add the line marked in red, after line 5100 in 'main.pas'
(After line 5445 in v2.4 RC07, but is hasn't been tested)

Quote
  url:=conn.request.url; // The next line is a fix for CVE-2024-23692
  if anyMacroMarkerIn(url) then url:=encodeURL(xtpl(url,['%','#']));
  extractParams();
  url:=decodeURL(url);

This was my second 'impossible task' achieved or accomplished here (the first was helping to bring the 'logout' function to HFS), and now an attempt to fix this vulnerability. Those are the good things about programming: almost nothing is impossible with a lot of effort and dedication. :)
4
Everything else / Re: A simple chatrooms with video chat support.
« Last post by rejetto on September 09, 2024, 07:36:32 AM »
nice tool!
5
Everything else / A simple chatrooms with video chat support.
« Last post by mzw18667 on August 25, 2024, 02:24:47 PM »
Hi all, I made this one after I publish "webd". Hope you like it.
If you find it usefull, please share it somewhere else, it's important for me to run it sustainablity.

No Registration Needed, easy to create your own chatroom. https://cnt2.cf/groups/login.html
  • Just pick up some groupname&password and nickname to create a chatroom and login.
  • Share the same groupname&password (or link) to others to let them join in the same chatroom.
  • Same groupname with a different password will lead to a different chatroom.
  • Chat contents encrypted at frontend.
Video Call Supported.
  • If only two in chatroom, just click the phone button to video call another one.
  • If there's more than two, first click one's name to enter private chat mode, then click the phone button.
  • Also in private chat mode, text message only send to the one target, and the text color is different.


6
Everything else / Re: Message to Rejetto: forum's email is broken
« Last post by LeoNeeson on August 11, 2024, 12:25:15 AM »
It's still working here, and I agree that the main reason of all this problem (and also of having too many spam accounts), is the use of fake/disposable email address to register (like you said 'invalid addresses'). If we filter that registration comes ONLY from common respectable email providers, like: Gmail, Yahoo, Hotmail, Yandex, GMX, QQ, etc. then those spam accounts will be much less.

Reading a forum thread on SMF Community Forum, about "Restrict email providers on registration", I've found THIS mod, which works with current SMF version, and has a very useful option named "Only allow these providers" (along with preventing people using their email addresses as usernames).

PS: nothing is perfect, since one Gmail account could have MANY email alias (and register many accounts on the forum using those alias). So, it would be great if we could 'clean' the email username from any "+" (plus symbols) and "." (dots), when someone is using Gmail to register to avoid the 'alias' trick. Perhaps that mod that I mentioned, has this feature too (I don't know).
7
Everything else / Re: Message to Rejetto: forum's email is broken
« Last post by rejetto on August 10, 2024, 11:18:26 PM »
i think the email is not working again.
my provider interrupts the service because a lot of emails fails, because of spammers who register on the forum with invalid addresses.
i think "questions" don't work because i installed the "stop spammer" plugin.
8
Everything else / Re: Message to Rejetto: forum's email is broken
« Last post by LeoNeeson on August 06, 2024, 02:26:55 AM »
Quote from: rejetto on August 05, 2024, 07:27:22 PM
it should be fixed now.
Yes, I confirm that now it works... :)

Quote from: Mars on August 05, 2024, 11:19:54 PM
works as expected, bots will be able to have fun again
To avoid bots, according to forum's documentation, "the most efficient anti-spam method provided by SMF" by default, without having to install any -Mod- (modification), is enabling "Verification Questions". I've read that adding three simple (but not so obvious) questions stops most bots. I highly recommend adding this to relieve Mars's task of cleaning the forum. 8)
9
Everything else / Re: Message to Rejetto: forum's email is broken
« Last post by Mars on August 05, 2024, 11:19:54 PM »

works as expected, bots will be able to have fun again

 :o
10
Everything else / Re: Message to Rejetto: forum's email is broken
« Last post by rejetto on August 05, 2024, 07:27:22 PM »
it should be fixed now.
sorry guys
Pages: 1 2 3 ... 10