-
Notifications
You must be signed in to change notification settings - Fork 17
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
High risk vulnerability (Critical severity) #3
Comments
correction: the POC in the latest link is not affecting rc7, but the one on "attackerkb.com" is |
I think the problem is in this line https://github.com/rejetto/hfs2/blob/140528bac87e4ae37d444b218b5ef6ff793edc80/scriptLib.pas#L121 |
I'm doing some Public Relations (PR) here, to alert others about this vulnerability (discovered by @mohemiv). Please forgive me if this notice bothers or upsets someone (in this case, remember that “it's better be safe than sorry”). This message is to notify all those who have a copy or fork of HFS2: https://github.com/rejetto/hfs2 (List of users who have a fork of HFS2) [Part 1]@10ae; @1aq; @1INSIDIOUS; @24minFan; @506124204; @674778709; @93Codes; @a1198457636; @aifans; @ajunlonglive; @Alligator-1; @Amoystyle; @arvindown; @atkins126; @AtotallyRandomGuy; @AureliusPatiens; @Azimiao; @barlowhaydnb; @bb33bb; @blkdevcon; @blog2i2j; @Brainhub24; @bryanchance; @cbcs; @ccwy; @cedececa; @ChasingD; @classic130; @CrazyForks; @crazyNing; @cyrex562; @diegoverdan; @divinity76; @do8pgg; @dsvabek; @ducbang; @FallPeanut; @ffrbl; @flyarong; @GaryLao; @GitCnSH-DSLIN; @gmh5225; @goofwear; @h824612113; @ha271923; @hafewa; @harishgavel; |
» Regardless development has moved onto HFS3, and even if HFS2 probably won't be updated by @rejetto, any collaboration will be useful to others who also have a fork of HFS2 (and compile the binaries on their own). Those who want to collaborate, can leave a comment on this issue, or even better, send a 'Pull request' on the original project: https://github.com/rejetto/hfs2/pulls (List of users who have a fork of HFS2) [Part 2]@hi-noikiy; @HowardWhile; @IcyG1045; @icyhoty2k; @iloeng; @iMeta1; @ios1024; @jacelift; @jacobin; @jeethualex; @jn7163; @josedachao; @JosiahMg; @juankprz; @junqinhu; @khongten001; @l-g-t; @lakecenter; @lanxianhui; @laojiajun; @LeChatNoir666; @lianghuiyuan; @lion8418; @lllrrr2; @LordGarfio; @lzxkulou; @mangoriver; @mapoupier; @mcubeta; @minol; @mnplay; @mybbsky2012; @ncnnnnn; @netusb; @neverso; @oabi; @ojbkxc; @Ok-every-day; @oycl; @peaceanddemocracy; @pigbaby6309; @prafulbusa; @PravinShahi0007; @progray; @Loop80; @protonuniverse; |
节假日,请勿骚扰
|
Being listed here, doesn't mean you have any commitment or obligation to collaborate with this issue. If you don't want to collaborate, please disregard this notice. This is only an informational message! (List of users who have a fork of HFS2) [Part 3]@RahimBangla; @redcocoa; @redlinejoes; @redtrillix; @rellai; @rsiralla; @sdlkdsdda; @shayanw; @shead0n; @simhaonline; @simrit1; @siwa2-w; @snakegj; @SWDRam; @swoky; @TengShow; @teze; @VantIer; @venhow; @vivienskm; @waldonhendricks; @wesinator; @weweaaa; @wuenci666; @xGreat; @xiaoshzx; @xsgx; @xxfwajj84; @XZVB12; @yangjinhe; @yogtop; @z-cub; @mr-highball; @Zhengzhouhao; @zmf963; @zxysm; @ZZKK000» Code submission guidelines (Code contribution suggestions): By the way, this vulnerability was published yesterday in the legendary ‘Packet Storm Security’ website: https://packetstormsecurity.com/files/179083/Rejetto-HTTP-File-Server-HFS-Unauthenticated-Remote-Code-Execution.html |
won't this change badly affect style attributes using % ? |
节假日,请勿骚扰
|
Hi!, this is only a reminder. Since you maintain a fork of HFS, and in case you didn't know, a severe vulnerability (that demands immediate attention) has been recently discovered, known to affect HFS v2.4.0 RC7 and v2.3m. It's CVE-2024-23692, and you will find more information, on the following links:
Understanding the critical threat
https://linuxpatch.com/cve/CVE-2024-23692
Technical analysis (Vulnerability details)
https://attackerkb.com/topics/d9AVVdmNhH/cve-2024-23692
How to reproduce it (Payload and instructions)
Rejetto HTTP File Server (HFS) 2.x - Unauthenticated RCE exploit module (CVE-2024-23692) rapid7/metasploit-framework#19240
Original finder information (By Arseniy Sharoglazov)
https://mohemiv.com/all/rejetto-http-file-server-2-3m-unauthenticated-rce/
Even if Rejetto made his versions 2.3.x and 2.4.x as 'obsolete' (or 'no longer supported'), there are too many HFS-based servers still running (including yours), that will never know about this issue, until it's too late (when they've already been hacked). I'm sure Rejetto and his community, will appreciate if you submit a patch for his build too... :)
Cheers,
Leo.-
The text was updated successfully, but these errors were encountered: