Recent Posts

21

HFS ~ HTTP File Server / Re: Warning: HFS v2.x has a severe vulnerability

« Last post by Rapid on January 09, 2025, 09:41:53 AM »

I've sent you a private message because I can't run x64 apps.
...

32bit: https://rnq.ru/categories/download/8-hfs/216-hfs-324

...
We can have the best of both worlds if we do this:

(Ideas) The best way to achieve good security would be:
• Make the default template not use or require any macros at all.
• Make the entire macro system behave exactly like user permissions.
• Have a config panel to let HFS admin choose which macros are enabled.
Even then, nobody could guarantee 100% permanent security forever...

Making all those changes will take a lot of work, time, and testing.
(but it will provide all the features without compromising security)

I think you misunderstands what macroses are. Templates are based on macroses. So "no macros" = "no templates".
For me HFS is just a Home File Server. I don't really care about security.
All changes are just for fun...
Like a beautiful alpha-blend icons, serving thumbnails as WEBP,  using ZSTD compression instead of zlib. Nobody needs it, but it's fun to do
So the next big fun is to add "zip format for folder archives"

22

HFS ~ HTTP File Server / Re: Warning: HFS v2.x has a severe vulnerability

« Last post by LeoNeeson on January 09, 2025, 12:58:25 AM »

Could you check my versions, if it vulnerable or not? As I'm not really understand your answers per my fixes.

I've sent you a private message because I can't run x64 apps.
You can use 1Fichier to upload files if that's easier for you.
Until then, I can't review your version; I'm sorry...

I really don't understand, why you afraid only 'exec' macros. With "save" macros it's possible to do the same (if write 'bat' or 'lnk' file). With 'add folder' - it's possible to add home folder of active user, and maybe download something private.

I completely agree with you (and I was already aware of all that).

it is always possible to use version 2.2f which makes it possible to distribute content as one looks at a film,

We can have the best of both worlds if we do this:

(Ideas) The best way to achieve good security would be:
• Make the default template not use or require any macros at all.
• Make the entire macro system behave exactly like user permissions.
• Have a config panel to let HFS admin choose which macros are enabled.
Even then, nobody could guarantee 100% permanent security forever...

Making all those changes will take a lot of work, time, and testing.
(but it will provide all the features without compromising security)

23

HFS ~ HTTP File Server / Re: Warning: HFS v2.x has a severe vulnerability

« Last post by Mars on January 08, 2025, 01:08:21 PM »

In the face of all these hacking possibilities, it is up to the fact that hfs is running on a virtual machine in a restricted environment.

HFS is of an old design, no matter how much we try to plug the holes, but we'll never be safe from further leaks.
it is always possible to use version 2.2f which makes it possible to distribute content as one looks at a film,

otherwise we use a version with macros, which allows a certain interactivity, but it's like with games, there's always some that will always try to cheat to win not much except forge in the idea that they beat the designer in his efforts to make his product inviolable. It's a racing game where we can quickly make mistakes that make us lose the race.

the race here is that of inventiveness that will give the one who will be the most clever to supplant the other by cutting off the grass under his foot, like a chess player it is not because we lose coins or even the queen that we are on the ground as long as failure and matte is not announced

24

HFS ~ HTTP File Server / Re: Warning: HFS v2.x has a severe vulnerability

« Last post by Rapid on January 08, 2025, 11:42:37 AM »

ok, download link is fixed.

I really don't understand, why you afraid only 'exec' macros. With "save" macros it's possible to do the same (if write 'bat' or 'lnk' file). With 'add folder' - it's possible to add home folder of active user, and maybe download something private.

25

HFS ~ HTTP File Server / Re: Warning: HFS v2.x has a severe vulnerability

« Last post by LeoNeeson on January 07, 2025, 02:40:55 AM »

Since we are joking...

@Rapid: You did it! 0 bits = 0 vulnerabilities !

@Mars: Now I do understand why your timer is set to 30 seconds...
...and also because it only takes '30 seconds to Mars'
...a nice rock band, although I prefer Bruno Mars

I'm sorry, I think I went too far today...
(too many jokes in one post)

26

HFS ~ HTTP File Server / Re: Warning: HFS v2.x has a severe vulnerability

« Last post by Mars on January 07, 2025, 01:30:08 AM »

@Rapid

With a download size of 0 bits, your HFS breaks all compression records 

27

HFS ~ HTTP File Server / Re: Warning: HFS v2.x has a severe vulnerability

« Last post by Rapid on January 06, 2025, 10:16:40 PM »

Hi Leo!
Could you check my versions, if it vulnerable or not? As I'm not really understand your answers per my fixes.
In my tests, I couldn't repeat vulnerability examples. May be I checked not enough?

My latest version: https://rnq.ru/downloads/download/8-hfs/215-hfs-324-x64

28

HFS ~ HTTP File Server / Re: Warning: HFS v2.x has a severe vulnerability

« Last post by LeoNeeson on January 06, 2025, 11:42:54 AM »

Good! ...and now we have:

- Option C: Mars’s version of HFS! (v2.3m Build 305)
This option is perfect for those who want to make normal use of the default template (while also wanting to programmatically run programs using HFS, but don’t want to leave this option enabled for too long). This also provides another alternative (besides 'Option A or B') for those who wish to disable the 'exec' macro feature to be more secure.

What is the difference between 'Option B' and 'Option C'? The difference is that 'Option B' disables all macros (including the less risky macros that are necessary for normal template functionality), while the Mars compilation only disables the 'exec' macro (which allows other programs to be executed, and this was exploited by this vulnerability). Since the vulnerability still exists, if you use 'Option C' (and enable the 'exec' macro), it's best to allow it only for a short period, or to disable it directly when this feature is not needed.

It’s nice to have more options for those who may need them.
Everything seems fine, and it’s good, coming from Mars (congrats!)

29

HFS ~ HTTP File Server / Re: Warning: HFS v2.x has a severe vulnerability

« Last post by Mars on January 03, 2025, 11:31:41 PM »

Since there are still a fans of hfs 2.3m build 300, and who are concerned about the risk of being hackered with the EXEC macro, the simplest at the moment is to allow a deactivation of this macro which is only rarely used and in very specific cases,

the solution envisaged to limit the number of accessible external programs that would be included in a reduced list is not possible at the moment as long as an effective filtering is not possible for the moment to be possible.


This is an ephemeral link on a version  compressed with upx, wich has not be endorsed by rejetto, but because of my previous participation in the project I can afford it without waiting
 it integrates a button in the toolbar to activate the use of the macro exec.
HFS 2.3m build 305

the macro is systematically in OFF mode as soon as the server is started up or at each change of state of the latter.

the macro is automatically deactivated when the display is switched to EASY mode, and the button is inoperative.

when the conditions are met, it is possible to activate the use of the EXEC macro for a period of 30 seconds, this value can be modified by right-clicking on the button,

any change to a value other than that displayed on the opening of the message causes the timer to stop, so it is necessary to reactivate the button.

As a measure of simplicity, a zero value inhibits the timer and the button becomes a simple state flip-flop, otherwise it behaves like a timer.

30

HFS ~ HTTP File Server / Re: Warning: HFS v2.x has a severe vulnerability

« Last post by Alps on January 03, 2025, 06:23:26 PM »

Not only my credits.
Was only a idea from me.
I not have the knowledge for security relevance.
Without LeoNeeson we not have this solution.