High risk vulnerability (Critical severity)

[LeoNeeson]

Hi!, this is only a reminder. Since you maintain a fork of HFS, and in case you didn't know, a severe vulnerability (that demands immediate attention) has been recently discovered, known to affect HFS v2.4.0 RC7 and v2.3m. It's CVE-2024-23692, and you will find more information, on the following links:

• Understanding the critical threat
  https://linuxpatch.com/cve/CVE-2024-23692

• Technical analysis (Vulnerability details)
  https://attackerkb.com/topics/d9AVVdmNhH/cve-2024-23692

• How to reproduce it (Payload and instructions)
  Rejetto HTTP File Server (HFS) 2.x - Unauthenticated RCE exploit module (CVE-2024-23692) rapid7/metasploit-framework#19240

• Original finder information (By Arseniy Sharoglazov)
  https://mohemiv.com/all/rejetto-http-file-server-2-3m-unauthenticated-rce/

Even if Rejetto made his versions 2.3.x and 2.4.x as 'obsolete' (or 'no longer supported'), there are too many HFS-based servers still running (including yours), that will never know about this issue, until it's too late (when they've already been hacked). I'm sure Rejetto and his community, will appreciate if you submit a patch for his build too... :)

Cheers,
Leo.-

[rejetto]

in my tests, 2.4rc7 doesn't seem to be affected in its default configuration, that is with default template, as its template doesn't use the "get|url" command.

correction: the POC in the latest link is not affecting rc7, but the one on "attackerkb.com" is

[drapid]

I think the problem is in this line https://github.com/rejetto/hfs2/blob/140528bac87e4ae37d444b218b5ef6ff793edc80/scriptLib.pas#L121
So that not all symbols "%" replaced.
I think change to "ReplaceStr(s, '%','%')" should work better.

[rejetto]

these are the steps that lead to the execution

[LeoNeeson]

I'm doing some Public Relations (PR) here, to alert others about this vulnerability (discovered by @mohemiv). Please forgive me if this notice bothers or upsets someone (in this case, remember that “it's better be safe than sorry”). This message is to notify all those who have a copy or fork of HFS2: https://github.com/rejetto/hfs2

(List of users who have a fork of HFS2) [Part 1]

@10ae; @1aq; @1INSIDIOUS; @24minFan; @506124204; @674778709; @93Codes; @a1198457636; @aifans; @ajunlonglive; @Alligator-1; @Amoystyle; @arvindown; @atkins126; @AtotallyRandomGuy; @AureliusPatiens; @Azimiao; @barlowhaydnb; @bb33bb; @blkdevcon; @blog2i2j; @Brainhub24; @bryanchance; @cbcs; @ccwy; @cedececa; @ChasingD; @classic130; @CrazyForks; @crazyNing; @cyrex562; @diegoverdan; @divinity76; @do8pgg; @dsvabek; @ducbang; @FallPeanut; @ffrbl; @flyarong; @GaryLao; @GitCnSH-DSLIN; @gmh5225; @goofwear; @h824612113; @ha271923; @hafewa; @harishgavel;

[LeoNeeson]

» Regardless development has moved onto HFS3, and even if HFS2 probably won't be updated by @rejetto, any collaboration will be useful to others who also have a fork of HFS2 (and compile the binaries on their own). Those who want to collaborate, can leave a comment on this issue, or even better, send a 'Pull request' on the original project: https://github.com/rejetto/hfs2/pulls

(List of users who have a fork of HFS2) [Part 2]

@hi-noikiy; @HowardWhile; @IcyG1045; @icyhoty2k; @iloeng; @iMeta1; @ios1024; @jacelift; @jacobin; @jeethualex; @jn7163; @josedachao; @JosiahMg; @juankprz; @junqinhu; @khongten001; @l-g-t; @lakecenter; @lanxianhui; @laojiajun; @LeChatNoir666; @lianghuiyuan; @lion8418; @lllrrr2; @LordGarfio; @lzxkulou; @mangoriver; @mapoupier; @mcubeta; @minol; @mnplay; @mybbsky2012; @ncnnnnn; @netusb; @neverso; @oabi; @ojbkxc; @Ok-every-day; @oycl; @peaceanddemocracy; @pigbaby6309; @prafulbusa; @PravinShahi0007; @progray; @Loop80; @protonuniverse;

[mybbsky2012]

节假日，请勿骚扰

[LeoNeeson]

Being listed here, doesn't mean you have any commitment or obligation to collaborate with this issue. If you don't want to collaborate, please disregard this notice. This is only an informational message!

(List of users who have a fork of HFS2) [Part 3]

@RahimBangla; @redcocoa; @redlinejoes; @redtrillix; @rellai; @rsiralla; @sdlkdsdda; @shayanw; @shead0n; @simhaonline; @simrit1; @siwa2-w; @snakegj; @SWDRam; @swoky; @TengShow; @teze; @VantIer; @venhow; @vivienskm; @waldonhendricks; @wesinator; @weweaaa; @wuenci666; @xGreat; @xiaoshzx; @xsgx; @xxfwajj84; @XZVB12; @yangjinhe; @yogtop; @z-cub; @mr-highball; @Zhengzhouhao; @zmf963; @zxysm; @ZZKK000

---

» Code submission guidelines (Code contribution suggestions):
Although HFS v2.4.0 RC7 was compiled using modern (Unicode compatible) Delphi versions, since this vulnerability also applies to HFS v2.3m, which was originally compiled using “Turbo Delphi 2006” (similar to ‘Delphi 2007‘), please keep changes compatible with older Delphi versions. Please keep changes small and focused (meaning: no code clean-ups, no new features). This applies to everyone, except for @rejetto (the original developer), and @drapid (the owner of this repository), those who may do whatever they want/wish.

---

By the way, this vulnerability was published yesterday in the legendary ‘Packet Storm Security’ website: https://packetstormsecurity.com/files/179083/Rejetto-HTTP-File-Server-HFS-Unauthenticated-Remote-Code-Execution.html
 

[rejetto]

I think change to "ReplaceStr(s, '%','%')" should work better.

won't this change badly affect style attributes using % ?

[mybbsky2012]

节假日，请勿骚扰