Recent Posts

21

HFS ~ HTTP File Server / Re: Warning: HFS v2.x has a severe vulnerability possible fix?

« Last post by danny on June 29, 2025, 09:36:35 PM »

Edit:  Here is an approach with Auto-Ban.   This will not catch everything--keep scrolling, several posts further down.
in hfs.events (alt+f6)

Code: [Select]

[+request]
{.if|{.match|*filter=*.exec*;*search=*.exec*;*.exec*;*%host%*;*_host_*;*cmd.exe*;*&cmd=*;*powershell+*;*/wp-includes/*|%url%.}|{:
{.set|n|{.from table|#tries|%ip%.}.}{.inc|n.}{.set table|#tries|%ip%={.^n.}.}
{.if|{.{.^n.} > 0.}|{:
{.set ini|ban-list={.no pipe|{.from table|#ini|ban-list.}%ip%#AutoBan {.time.}.}.}{.set table|#tries|%ip%=0.}
:}/if.}
{.disconnect.}{.add to log|%ip% %user% BANNED FOR POSSIBLE SECURITY THREAT.}:}.}Note:  This is possibly useful in combination with the TINYWALL firewall project, an egress blocking firewall, whereby you'd let through (allow) your web browser, HFS (possibly unblock lan), and very little else.  Newer version or there is also older version (for older server).

22

Everything else / Re: Taking a summer break and some time off

« Last post by Mars on January 22, 2025, 01:28:59 PM »

It's not a big deal, the cupboards and the freezer are full, we won't starve to spend your return.

do your job well and don't force too much on the tequila during the aperitif breaks

PS: I'm closing this topic since it doesn't need any further comments.
  all the ways of the lord are not impenetrable

23

Everything else / Taking a summer break and some time off

« Last post by LeoNeeson on January 22, 2025, 03:50:24 AM »

Hey everyone! Some of you might already know (those who contacted me via private message), but for the rest, I want to let you know that I’ll be stepping away from my computer, the forum, emails, etc. for a few weeks. It’s summer over here, and during this time (from January to about March/April), the weather allows me to do some home projects that aren’t possible at other times of the year (like painting, general cleaning, and small repairs).

I just wanted to mention this, so you could understand why it might take me a while to respond or provide detailed replies (I will probably check things once a week). It’s not due to a lack of interest or anything; it's just a little break from all the tech stuff during these hot weeks. But when summer is over, I’ll be back around more often!

Cheers,
Leo.-


PS: I'm closing this topic since it doesn't need any further comments.

24

HFS ~ HTTP File Server / Re: Warning: HFS v2.x has a severe vulnerability

« Last post by LeoNeeson on January 10, 2025, 04:26:55 PM »

Ok, if we don't count "%item-url%" as macros, than you are right.

I agree that it looks similar, but '%item-url%' is one of the 'Symbols' available (Macros and Symbols are both processed at server-side). %Symbols% are much safer and already existed in very ancient versions (before Rejetto added macros in v2.3x), and are replaced by the real values at run-time (when the HTML page is built), meanwhile macro works like server-side scripting.

I like the idea to have a separate template for no-macros mode. So I will add an option "Disable macros for non-local IP" to use separate templates for local and non-local users.

I'm glad you like the idea.

For any other thing related about this, it's much better to open a new thread in 'Programmers corner', to not disturb users subscribed to this thread who are waiting for news on this issue.

25

HFS ~ HTTP File Server / Re: Warning: HFS v2.x has a severe vulnerability

« Last post by Rapid on January 10, 2025, 07:04:47 AM »

By saying 'templates are based' on macros, it could only mean 'some templates depend' on macros (but only those templates that need a macro to work, like, for example, the default template). However, your latest statement is not entirely accurate, since you can have a template without macros. Otherwise, you would not be able to install or use the templates I've modified in this post HERE, which can be used with macros disabled (obviously, some features are disabled, such as the ability to delete, rename, or upload files, but it's still a template after all). I'm not looking to argue, but I do have a clear understanding of what macros are and how they work.
...

Ok, if we don't count "%item-url%" as macros, than you are right. But technically it's kind of macros too 

I like the idea to have a separate template for no-macros mode. So I will add an option "Disable macros for non-local IP" to use separate templates for local and non-local users.
It remains to add the possibility to define these separate templates.
As of start I will add template as a resource. We already have an example "dmBrowser.tpl" for download managers.

26

HFS ~ HTTP File Server / Re: Warning: HFS v2.x has a severe vulnerability

« Last post by LeoNeeson on January 09, 2025, 07:36:35 PM »

I think you misunderstands what macroses are.
Templates are based on macroses.
So "no macros" = "no templates".

By saying 'templates are based' on macros, it could only mean 'some templates depend' on macros (but only those templates that need a macro to work, like, for example, the default template). However, your latest statement is not entirely accurate, since you can have a template without macros. Otherwise, you would not be able to install or use the templates I've modified in this post HERE, which can be used with macros disabled (obviously, some features are disabled, such as the ability to delete, rename, or upload files, but it's still a template after all). I'm not looking to argue, but I do have a clear understanding of what macros are and how they work.

For me HFS is just a Home File Server.
I don't really care about security.
All changes are just for fun...

Then, just for fun, you have given me the opportunity to say the following: "Ladies and gentlemen, we now have..."

- Option D: DRapid version of HFS! (32 bits & 64 bits)
Yeah! this version is good for those who want to use templates while avoiding this vulnerability, and also for those who, based on his own words (not mine): 'don't really care about security'. So, if you feel comfortable with this, you will find this version very interesting.

» Seriously speaking, from what I've seen by running the program and conducting some tests (and also after reviewing the patch in the source code from an older build), it seems to avoid the vulnerability. However, I don't see this as a definitive long-term solution. That being said, I can't provide ANY guarantees, and it's up to the end-user to decide whether this is appropriate to use or not.

what is missing it´s a swtich of templates as exist when we use a computer or smartphones for example, but in this case it´s more simple to have two versions of hfs and run only the one with macros or not

Even better: two HFS versions on two separate computers!

27

HFS ~ HTTP File Server / Re: Warning: HFS v2.x has a severe vulnerability

« Last post by Mars on January 09, 2025, 12:46:12 PM »

what is missing it´s a swtich of templates as exist when we use a computer or smartphones for example, but in this case it´s more simple to have two versions of hfs and run only the one with macros or not

28

HFS ~ HTTP File Server / Re: Warning: HFS v2.x has a severe vulnerability

« Last post by Rapid on January 09, 2025, 09:41:53 AM »

I've sent you a private message because I can't run x64 apps.
...

32bit: https://rnq.ru/categories/download/8-hfs/216-hfs-324

...
We can have the best of both worlds if we do this:

(Ideas) The best way to achieve good security would be:
• Make the default template not use or require any macros at all.
• Make the entire macro system behave exactly like user permissions.
• Have a config panel to let HFS admin choose which macros are enabled.
Even then, nobody could guarantee 100% permanent security forever...

Making all those changes will take a lot of work, time, and testing.
(but it will provide all the features without compromising security)

I think you misunderstands what macroses are. Templates are based on macroses. So "no macros" = "no templates".
For me HFS is just a Home File Server. I don't really care about security.
All changes are just for fun...
Like a beautiful alpha-blend icons, serving thumbnails as WEBP,  using ZSTD compression instead of zlib. Nobody needs it, but it's fun to do
So the next big fun is to add "zip format for folder archives"

29

HFS ~ HTTP File Server / Re: Warning: HFS v2.x has a severe vulnerability

« Last post by LeoNeeson on January 09, 2025, 12:58:25 AM »

Could you check my versions, if it vulnerable or not? As I'm not really understand your answers per my fixes.

I've sent you a private message because I can't run x64 apps.
You can use 1Fichier to upload files if that's easier for you.
Until then, I can't review your version; I'm sorry...

I really don't understand, why you afraid only 'exec' macros. With "save" macros it's possible to do the same (if write 'bat' or 'lnk' file). With 'add folder' - it's possible to add home folder of active user, and maybe download something private.

I completely agree with you (and I was already aware of all that).

it is always possible to use version 2.2f which makes it possible to distribute content as one looks at a film,

We can have the best of both worlds if we do this:

(Ideas) The best way to achieve good security would be:
• Make the default template not use or require any macros at all.
• Make the entire macro system behave exactly like user permissions.
• Have a config panel to let HFS admin choose which macros are enabled.
Even then, nobody could guarantee 100% permanent security forever...

Making all those changes will take a lot of work, time, and testing.
(but it will provide all the features without compromising security)

30

HFS ~ HTTP File Server / Re: Warning: HFS v2.x has a severe vulnerability

« Last post by Mars on January 08, 2025, 01:08:21 PM »

In the face of all these hacking possibilities, it is up to the fact that hfs is running on a virtual machine in a restricted environment.

HFS is of an old design, no matter how much we try to plug the holes, but we'll never be safe from further leaks.
it is always possible to use version 2.2f which makes it possible to distribute content as one looks at a film,

otherwise we use a version with macros, which allows a certain interactivity, but it's like with games, there's always some that will always try to cheat to win not much except forge in the idea that they beat the designer in his efforts to make his product inviolable. It's a racing game where we can quickly make mistakes that make us lose the race.

the race here is that of inventiveness that will give the one who will be the most clever to supplant the other by cutting off the grass under his foot, like a chess player it is not because we lose coins or even the queen that we are on the ground as long as failure and matte is not announced