Recent Posts

41

HFS ~ HTTP File Server / Re: Warning: HFS v2.x has a severe vulnerability

« Last post by LeoNeeson on January 01, 2025, 01:22:28 PM »

@Alps: Using "deactivate Browsable" doesn't make any difference here (you can use it, but it doesn't stop this vulnerability). The only setting that stops it, is disabling macros (since the problem is there). With macros disabled, even search works fine, you only need to use a simple template that doesn't need or use macros.

For example, I've quickly modified (removing any use of macros) the 'Stripes' template, which is a template made by the user Danny for HFS v2.3 and v2.4. These modified templates I've uploaded here, works fine for basic 'file listing' operations but doesn't have the upload, delete or login function (login still works when using v2.3), but you can add those functions back, if you have the knowledge to do it, and you don't use macros (I currently don't have enough free time nor the patience to do it).

Well, that's all for now, hope it helps.

42

HFS ~ HTTP File Server / Re: Warning: HFS v2.x has a severe vulnerability

« Last post by Alps on January 01, 2025, 03:42:34 AM »

Very thanks for reply.

ok, as you say browsable not helps with this vulnerability "setting in hfs window part "virtual file system" " /Home Right click/properties/flags deactivate Browsable"

If i switch it off, user become message.
!Forbidden
or||!This resource is not accessible.

And it not only deactivate searchbox, it also deactivate search direct link.
Example
http://0.0.0.0:80/?search=test

If i switch also macro off.
Comes also
!Forbidden
or||!This resource is not accessible.

In this case it is better switch macro off and browsable on ? (The last years browsable off was my default setting)

I have a rootserver, and hfs was a important part, of course i can not use old hfs before have a safe solution.
HFS 3 is not a solution for me.

If macro off is a really safe solution, it is perfect for me, i need only direct linking.

Is a easy way possible for test this vulnerability ?

43

HFS ~ HTTP File Server / Re: Warning: HFS v2.x has a severe vulnerability

« Last post by LeoNeeson on December 31, 2024, 08:46:25 AM »

Maybe can fix this security problem with different settings or template modification or macro deactivation ?
Maybe i am wrong, but it sounds the problem is in template and search function.

In hfs /Home Right click/properties/ deactivate Browsable
It deactivate browse page, search and other. (Files can download now only with direct link)
Probably this is not a solution, but i think the profis here know it better.

Can it help ?

*** Temporary solution ***
Yes, good idea! , if you disable macros, the vulnerability will NOT happen!
But keep in mind, you will not have file list (the default template will not work)

1) Inside HFS, press F5 to switch to 'Expert mode'.
2) Go to Menu > HTML template > and uncheck 'Enable macros'.
3) It will ask you 'Do you want to cancel this action?', click in 'No'.
4) Any visitor will have this message "WARNING: this template is only to be used with HFS 2.3 (and macros enabled)", and that means you have disabled the macros, and -hopefully-, the vulnerability will NOT happen!


- Old answer (read the message above): Unfortunately, that won't stop this vulnerability (I wish it were as simple as that). The only way is to modify the program (recompiling the source code). For the moment, it is better to temporarily discontinue the use of HFS v2.x (at least until this vulnerability gets fixed, something I haven't had time to finish yet), or even better, upgrade to the new version (HFS3).

Happy Holidays to all (and happy New Year!)

44

HFS ~ HTTP File Server / Re: Warning: HFS v2.x has a severe vulnerability

« Last post by Alps on December 31, 2024, 04:49:22 AM »

Maybe can fix this security problem with different settings or template modification or macro deactivation ?
Maybe i am wrong, but it sounds the problem is in template and search function.

In hfs /Home Right click/properties/ deactivate Browsable
It deactivate browse page, search and other. (Files can download now only with direct link)
Probably this is not a solution, but i think the profis here know it better.

Can it help ?

45

Everything else / Re: Best DynDNS alternative: FreeDNS.afraid.org

« Last post by rejetto on October 30, 2024, 01:13:45 PM »

some modems have ddns updater feature. That may be the best option

46

Everything else / Re: Best DynDNS alternative: FreeDNS.afraid.org

« Last post by LeoNeeson on October 19, 2024, 09:46:55 PM »

I wonder, can HFS update it automatically?

Yes, it's easy, but read a very important note at the end...

1. Login to your FreeDNS.Afraid.org account and go to "Dynamic DNS".

2. Copy the link from "Direct URL" for the domain you want to update.
     

3. From that link, change "https://" to "http://" (removing the 's'),
   since HFS can't handle SSL connections (unless you are using v2.4 RC7).

Link example:

Code: [Select]

http://freedns.afraid.org/dynamic/update.php?xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
4. In HFS, press F5 (if you are not already in 'Expert mode'), and go to...
   'Menu' > 'Dynamic DNS updater' > 'Custom...' and paste there the link.

5. It's all ready. Enjoy!


NOTE: My recommendation for FreeDNS.Afraid.org remains, but I currently do not recommend to use HFS to do the 'DNS update' (as a 'Dynamic DNS client'). It can be used along HFS, but it's better not within it. This is because, no matter what DynDNS service you do use, I've noticed that HFS it's not very reliable for this task (I've found a small bug when using the 'Custom' option, and although it seems to work, I can't guarantee it will always function). What kind of bug? HFS is -always- updating the DNS even if is not necessary, without checking first if the IP of the hostname has changed or not, and this leads to this "ERROR: Address 123.xxx.xxx.xxx has not changed." For casual use, it could work fine, but for use on as a permanent server, it's much better to use another DDNS client to update the IP.

47

Everything else / Re: Best DynDNS alternative: FreeDNS.afraid.org

« Last post by TekWiz on October 17, 2024, 08:14:37 PM »

Thank you, I agree, I've been using afraid for many, many years now. It's a shame it's not more widely supported. Doing the auto updates in windows can be a bit tricky as a simple updater hasn't been updated for years... But can be done with a scheduled script easily. I wonder, can HFS update it automatically?

48

HFS ~ HTTP File Server / Re: Warning: HFS v2.x has a severe vulnerability

« Last post by rejetto on October 17, 2024, 12:02:23 PM »

I think Mars' idea of restricting "exec" is good.
It's a pity I didn't have it at the time
I don't like the idea of having a specific folder, tho. I would rather have a way to configure what commands are allowed, so that the user must manually enable them.

49

HFS ~ HTTP File Server / Re: Warning: HFS v2.x has a severe vulnerability

« Last post by sergio on October 09, 2024, 05:46:19 PM »

Thank you very much for the clarification. I hope it can be resolved soon.

50

HFS ~ HTTP File Server / Re: Warning: HFS v2.x has a severe vulnerability

« Last post by LeoNeeson on October 09, 2024, 04:12:26 AM »

But if hfs is under cloudflare, does the vulnerability continue?

Yes, the vulnerability continues, and it could put at risk the PC (server) where HFS2 (v2.x) runs. Running it under Cloudflare somewhat makes the server more hidden (harder to be scanned by hackers), but once it's discovered and targeted by a hacker, he could run or install any program (malware or anything). Unless you run HFS2 on a VPS (or somewhere you don't have anything valuable), and you can recover your data in case of problems, you should think on updating to HFS3 (or take the risk and wait until we release an unofficial version of HFS2 with this vulnerability fixed). We are closer to find a solution to this, but the decision of waiting or updating is yours. Keep in mind that HFS3 is a completely different software (written from scratch) and its configuration is not compatible with HFS2, so you should have to configure everything again, but HFS3 is the currently recommended choice. If you have any questions about HFS3, please ask on the place dedicated to it (here), to avoid this thread going off-topic.