[SOLVED] BIG SECURITY HOLE (?!) - HFS allows to remotely browse your hard disk!

[PC]

1) Start HFS
2) Turn on server
3) Drag to HFS folder from somewhere (eg. somenhing from Desktop)
4) Answer that you want Real Folder
5) Go from browser to HFS main site
6) Go inside shared folder (eg. localhost/TEST/)
7) Add "..." to URL (eg localhost/TEST/...)
Type "Enter"...

9) You will see content of folder one lecel upper !!!
10 ) In this way (wifh sharer folder from Desktop as "Real") you can freely browse all "Doccuments and Settings" and etc....

Can somebody fix it?  

Regards
PC

[Mars]

Before post a bug, you have to clarify which version of hfs you use and possibly the type of operating system.

Did you think of making a test with the template by default?

A test on the build 217 raised no problem. I have do what you say exactly, but nothing

[MarkV]

Getting: HTTP 404 - Not Found

build #218, RAWR template 0.1.1

[Pit]

I get also an 404 http error (Not found)

Build 218 light modified default template

[PC]

Checked - problem exists on:

a) all older Windows versions (9x)
b) all templates
c) HFS 2.0 / 2.2e / 2.3 beta 318

[maverick]

Checked - problem exists on:

a) all older Windows versions (9x)
b) all templates
c) HFS 2.0 / 2.2e / 2.3 beta 318

You say all Windows versions (9x)
Did you personally try it on Windows 95, Windows 98, Windows 98SE etc.?  I doubt many would be using those old o/s's anymore (maybe Win98SE is still used by a few).

You say all templates.  Can you be more specific and let us know which ones you are talking about?

When you are making a security claim like you have done, please make sure you give us all of the information so we can check it out to see if it is reproduceable.

[Mars]

Information or propaganda?

Insert Quote
Checked - problem exists on:

a) all older Windows versions (9x)
b) all templates
c) HFS 2.0 / 2.2e / 2.3 beta 318

Quite as maverick, I ask me the question

But as it is never known, the case not it is never presented, it would be necessary to put to us a weblink to tour hfs server so that we noticed by us even

You can send me the link by private message to limit the risks, at the need (you must be registered on the forum)

[rejetto]

a) all older Windows versions (9x)
b) all templates
c) HFS 2.0 / 2.2e / 2.3 beta 318

i tested with both 2.2e and 2.3 on Windows XP, and it gives me "not found" as to others.
I can't test Win9x. Can someone?

Anyway, it's sounds strange, since it should not depend on Windows: the test to prevent ".." is made by HFS itself.

[rejetto]

Thanks for testing on win98.
I fear this report is a fake.
I will wait a couple of days, then i'll delete it to avoid people thinking it's true.
You know i rarely delete on the forum, but this may be misinformation.

[MarkV]

This is no fake. Just tested on Win95C, and it is real. Latest beta, default template. Browser is SeaMonkey 1.1.4.

1. Created directory 'test' on my desktop.
2. Dragged in HFS. (root is bound to 'C:\Download')
3. Chose 'Real folder'
4. Opened the root in browser. (http://localhost)
5. Browsed into directory 'test' (http://localhost/test/)
6. Added the three dots to the address (http://localhost/test/...)
7. Now I could see the contents of my 'C:\Windows' directory, it's the parent of 'C:\Windows\Desktop' (http://localhost/test/.../)
8. Scratched my head... 



The same thing under Vista does not seem to work.


Edit: Win98SE same problem...

[r][m]

Mark V
Many Thanks, I stand corrected. (removed prev post)
I find it happens with 192.168.1.xx lan address and the folder
doesn't have to be named test. My 2nd screen shot is real disturbing.
It brought up my HFS directory, which is not in the VFS? Complete with
remote css formating.

But... I find that it doesn't seem this works with folders that already exist?
If the properties are flags are changed, results get unpredictable.
I may shut down completely untill this is resolved!

[MarkV]

Three possible theories:
1) It is a 9x problem.
2) It is a problem with FAT32.
3) It is a problem with MS-DOS, all 9x-kernel OS are still based on it.

Unfortunately I have not NT based Windows with FAT32 (Though I think I could set up one quickly).

If you open the command line ('DOS', COMMAND.COM), and type cd ... in a 9x-kernel OS, you go up 2 directories.
The very same command does not work in NT-kernel OS, where DOS is only a virtual machine (NTVDM, CMD.EXE)

[r][m]

It seems that a folder named Test added to the vfs from the directory HFS is
in did not do this, but I can't say it only occurs from the desktop.
Since I'd never create a folder on the desktop to use in vfs, I'll consider this
as not to serious, yet. I'll test my existing file structure a bit more though.
Saving vfs and options, hiding or stopping/restarting HFS didn't stop this behavior.

On win 98se, using 218 and my HFS is on "E" not C

Uh, Oh - Just found a MAJOR problem.
Haven't been able to stop this one yet? 
We need to try this from out on the net, not just local.
Edit:
Rejetto - sent you a PM about this !!

[MarkV]

Number 2 is negative. Windows 2000 Pro and FAT32 - no problem.

[r][m]

Mark V
I'll try to PM you before I leave for work