rejetto forum

Directories in ~files.lst?

Martok · 22 · 15849

0 Members and 1 Guest are viewing this topic.

Offline Martok

  • Occasional poster
  • *
    • Posts: 88
    • View Profile
Hello,

is there any way to show the directory names in the virtual ~files.lst file?

I would like to use it to build a file repository, but without the dirs, it is not possible to recurse automaitcally.

Is there any option to turn this on?

Thanks in advance,
Martok
(now registered!)
Cheers,

Martok


Anonymous

  • Guest
Quote from: "Martok"
is there any way to show the directory names in the virtual ~files.lst file?
Do you want to make it easy for hackers or for those who like to steal the contents from websites with a spider?


Offline rejetto

  • Administrator
  • Tireless poster
  • *****
    • Posts: 13523
    • View Profile
hi martok, actually that file is built using a special internal template.
the template is not easily editable ATM, you should use a resource editor.
the resource name is filelistTpl
the content is
Code: [Select]
%files%

[files]
%list%

[file]
http://%host%%item-url%
as you can see, you just need to add the [folder] section

if you need it, i can make possible for HFS to load the template from an external file if it exists


Anonymous

  • Guest
Thanks Rejetto!

This is exactly what I meant.
Loading from an external file would be nice, as with every update, the changes need to be redone.

BTW: your  template description "language" is very nice, easy to change if you know what to change! ;-)

Martok


Offline rejetto

  • Administrator
  • Tireless poster
  • *****
    • Posts: 13523
    • View Profile
Quote from: "Anonymous"
Loading from an external file would be nice, as with every update, the changes need to be redone.
ok, available in last beta


Anonymous

  • Guest
Quote from: "rejetto"
create the file in the same folder of HFS with this content:
Code: [Select]
%files%

[files]
%list%

[file]
http://%host%%item-url%
Ok I created a filelist.tpl file with the contents you show above.  It is located in the root of my HFS directory.

My question now is, What more do I do with it?  I ran HFS and I didn't notice anything different with the filelist.tpl file in the HFS directory.  I think you said somewhere that HFS will know that file is there and do something with it.  I didn't notice anything different happening?  How is ~files.lst loaded from this external file filelist.tpl?  Is there something more that I have to configure?


Offline rejetto

  • Administrator
  • Tireless poster
  • *****
    • Posts: 13523
    • View Profile
please.... first explain what you want to get


Anonymous

  • Guest
Quote from: "rejetto"
please.... first explain what you want to get
What I want to get?  Well, I want to get a file list by using the external filelist.tpl.  That's what it is for, isn't it?  Or am I misunderstanding what the purpose of this file is for?


Offline rejetto

  • Administrator
  • Tireless poster
  • *****
    • Posts: 13523
    • View Profile
you get the list anyway through the ~files.lst


this file is to change the list, like adding folders, you can read the first post of this topic.
so, you want to change the list, or you don't need this feature.


Anonymous

  • Guest
Ok.  Thanks.  I added the [folder] section like you suggested before and the folder names are now added to the file list that is generated.  To bad that the file list output is triple spaced.

Anyway, I thought this was going to be a more exciting feature than it actually is.  Not sure why this [folder] section is really needed as all of the url's in the file list already contain the folder name as part of the url.


Offline rejetto

  • Administrator
  • Tireless poster
  • *****
    • Posts: 13523
    • View Profile
this feature is just NOT USEFUL for you
sure it is for who asked for it ;)
this is a feature for few, and that's why it is so hidden

nobody needs all features


Offline ~GeeS~

  • Tireless poster
  • ****
    • Posts: 269
  • "The web was made for sharing..."
    • View Profile
Guest wrote:
Quote
Quote
Martok wrote:   
is there any way to show the directory names in the virtual ~files.lst file?
   

Do you want to make it easy for hackers or for those who like to steal the contents from websites with a spider?

Rejetto, just did a test:
 
I protected all directories and files with a user/pass. Not logged in, HFS refused to show me the content of the protected directories; the desired behaviour.  :)
Appending ~files.lst to the URL, like 127.0.0.1/private/~files.list, results in the full list of files in that protected directory, except the hidden ones.  :eek:
As you can imagine, entering  127.0.0.1/private/listedfilename.ext gave access/DL of this files.
Can this ~files.lst command limited to allowed users only? In case it isn't possible, then the filelisting feature will override security, which isn't acceptable at all!   :evil:

Same behaviour was found for the ~progress command. All vistors of the site are able to see which files are up- & downloading, protected or not. Only credible users should see which files are transferred. ;)
"Privacy is not a crime!"

The ~upload didn't show this behaviour, but just kicked the request.

Edit:
Is it a feature, bug or vulnerability?
I don't use the list command in my template (I don't see the sense of it), but because the ~files.lst commans still is available, for me it's a vulnerability which can be exploited.

Just my 2 cents, keep up the good work  :^:  /edit
~GeeS~


Offline maverick

  • Tireless poster
  • ****
    • Posts: 1052
  • Computer Solutions
    • View Profile
Quote from: "~GeeS~"
Appending ~files.lst to the URL, like 127.0.0.1/private/~files.list, results in the full list of files in that protected directory, except the hidden ones.  :eek:
Yes that's true but anyone who knows how to do that correctly has to know your exact directory structure first, has used HFS themselves, or has been on a HFS site to be aware of the file list feature if activated.

Quote
As you can imagine, entering  127.0.0.1/private/listedfilename.ext gave access/DL of this files.
Not here.  I'm asked to login with name and password first before that is allowed which is the expected behavior.  So that's no concern.  

Quote
Can this ~files.lst command limited to allowed users only? In case it isn't possible, then the filelisting feature will override security, which isn't acceptable at all!   :evil:
There is not much they could do with the file list  information unless they had a valid user name and password.  If they do have a valid user name and password, assigned by the system administrator, then they have already been given permission to download any files from the directories they have been given access to.  That's the expected behavior.  HFS will log those activities so there wouldn't be anything hidden from the system administrator.

Quote
Same behaviour was found for the ~progress command. All vistors of the site are able to see which files are up- & downloading, protected or not. Only credible users should see which files are transferred. ;)
I'm not following you here.  I can't reproduce what you are saying.  The only folders & files that your users would visually see when browsing your site are the ones you have given them access to.

Quote
I don't use the list command in my template (I don't see the sense of it), but because the ~files.lst commans still is available, for me it's a vulnerability which can be exploited.
I don't use the file list feature.  Never did.  I don't really see the purpose of it.  It's not a vulnerability concern for me as for anyone to use it successfully to download files or even spider my site, they would first have to have a valid user name and password to gain any kind of access and I am the only one who assigns those for my site.  If I notice anything strange going on that shouldn't be, I simply kill the the IP/connection or ban.
maverick


Offline ~GeeS~

  • Tireless poster
  • ****
    • Posts: 269
  • "The web was made for sharing..."
    • View Profile
Thanks for testing too.
After some more testing on an other machine with Opera and IE, I couldn't reproduce the access or DL of files from protected directories. Probably I messed up some VFS configurations during testing. Sorry for the false alarm. :#)

So what still could be an privacy issue, is the fact that appending the ~files.lst-command to an URL with a protected directory reveals the filenames of the files in that directory.
Or, and this is what I meant with the 127.0.0.1/~progress command: If there are up- or downloading transfers ongoing, all visitors can see the list of all down- or uploading files on the server at that time.

If you are not concerned about revealing the filenames in these directories or of ongoing traffic, it's a nice feature.
There is a workaround:
Insert one directory without any files between the protected and the "private" directory which contains files. Applying the ~file.lst the will then  produce an empty page. Edit: If the intruder guesses or knows the full (default) path, it won't help. /Edit
The status window is intended as a feature: so just remove the appropriate HTML from the template and the down/upload-progress isn't displayed anymore.
So you can take your measures (or not) when designing your VFS, at least I've warned you.  :D  now

Edit:
Quote
Yes that's true but anyone who knows how to do that correctly has to know your exact directory structure first, has used HFS themselves, or has been on a HFS site to be aware of the file list feature if activated.
But don't underestimate the community: what can be exploited, will be exploited! I found this on a messageboard some time ago:
Quote
we can search through any search engine for "HttpFileServer 2.0 beta18"
the results are mostly websites by home users having pirated softwares /warezes/mp3s/movies etc.
but some have the username/password protection.
can we break this protection.
Search, find, evaluate ... see hfstest.ath.cx   /Edit
~GeeS~


Offline maverick

  • Tireless poster
  • ****
    • Posts: 1052
  • Computer Solutions
    • View Profile
~GeeS~

Quote
we can search through any search engine for "HttpFileServer 2.0 beta18" the results are mostly websites by home users having pirated softwares /warezes/mp3s/movies etc.
That assumes a search engine has successfully "indexed" the site.  Now I'm sure anyone who has that kind of content available wouldn't want their site indexed by a search engine for the world to see.

To avoid that, use a meta tag to protect your site from search engine indexing...

<META NAME="ROBOTS" CONTENT="NOINDEX"> or
<META NAME="ROBOTS" CONTENT="NOINDEX,NOFOLLOW">

Place that between <head> ... and ... </head>.

Create a robots.txt file with the following contents....
User-agent: *
Disallow: /
... and put that robots.txt file in your vfs root.

Quote
but some have the username/password protection. can we break this protection.
That tells me that they couldn't get into password protected sites.

mav
maverick