httpdx changelog --------------------------------------------------------- + New feature / Addition / Change / Improvisation - Something removed ! Bug fix --------------------------------------------------------- v1.5.4 --- + SERVER_ADDR is now enabled for config script + Maximum number of threads increased to 12 + Lots of memory optimizations, client structures are now using shared memory for constant data + More speed and stability ! Fixed: http://securityreason.com/exploitalert/7929 ! Fixed log opening bug + default log file names ! Fixed script parsing bug: comment was allowed inside a string v1.5.3b --- ! Fixed LoadLibrary() break services bug, http://sysdream.com ! Fixed: http://secunia.com/advisories/38620 v1.5.3 --- + Give dll resources a Last-Modified date ! Fixed f_command() "bug" (forgot that debugging "printf" there) v1.5.2 --- + HTTP_REFERER is now enabled for config script + Config script variables are no more set through environment variables (no need to waiting for mutex in multithread mode) + Better memory cleanup + Few security improvisations v1.5.1 --- + Added upload limit feature. Set with http.upload-limit-kbs ! Fixed tolog() -bug v1.5 --- + Balancing and task dealing beetween 0-10 (user defined) extra threads. Useful for servers with lots of traffic. Also gives some extra-speed. - http.timeout_recv removed + Added http.timeout_read and http.timeout_write + Added http.workers -variable and -hworkers -command line option + set -structures replaced with vectors to prevent memory leak + hclient2fdset: skip clients marked as done - n.dll removed, its functions are now compiled into httpdx.exe (respecting the "ultralight" -norms) + auto-compile scripts (on development) ! No more clients hanging with state 4 (file/data upload) + Added /httpdx~debug.hxcmd -command v1.4.6b --- ! Remove unwanted fake-dots at end of the filename (prevent source disclosure) v1.4.6 --- + Few modifications to support multipart/form-data v1.4.5 --- + Added server.name, http.listdir.listhidden and http.listdir.charset + http.dircss changed to http.listdir.css and http.diricons to http.listdir.icons due to group these listdir -variables + Added more error checking (considerably more performance; no additional loops with invalid sockets) ! Seek open file back by count of bytes not sent; lesser chance to fail uploading (http and ftp) + Statics view command ready ("/httpdx~stats.hxcmd") v1.4.4b --- ! Bugfix related to new request processing v1.4.4 --- + New faster request handling system (can now receive request in parts and requires CRLF in the end of request (rfc2616-sec5)) + Script variable encoding: encoded characters (&, |, =, <, >, { and }) are still converted to hex BUT there are '\' before x[hex], e.g. '&' = '\x26' ! Fixed: authorization wasn't checked for directories + 414 response if too long request-uri (over 3kb) + Client headers are now case-insensitive v1.4.3 --- + FTP non-blocking file transfer (now allowing multiple file transfers and browsing simultaneously) v1.4.2 --- + Added http.executecgi + Clean unused memory + More balanced ! Clean FTP login environment variables after login ! Fixed buffer overflow bug in c_strdblsplt - dm.js removed from resources. Disabling right-click menu was cool but bit useless... ! Sending 404 -error if dll resource not found (instead of sending blank file) + !DOCTYPE -tag for directory lists v1.4.1 --- ! Fixed: http://www.milw0rm.com/exploits/9657 Damn, what a bug! v1.4 --- ! Fixed CGI "status" -header handling ! Fixed problems with C -commenting + Able to compare to arrays (comparing value to multiple values) ! Found & fixed some script engine bugs (other problems may still appear) + Support for FTP PORT -command ! Fixed bug in FTP CDUP -command + FTP improvised (e.g. less failures, bit faster) - ftp.listen_thread_start_time removed due to ftp improvisation ! CONTENT_LENGTH is updated for every cgi file (all methods instead of only POST) v1.3.6 --- ! Bug fixed: crash when URI length over 255 characters (shame that I didn't notice this earlier) ! Lots of other bug fixes (security related) ! Fixed some script problems ! Fixed some bugs found by Nikto 2.03 + &, |, =, <, >, { and } are converted to hex for REQUEST_URI and HTTP_HOST (no more "^&", "^|" etc.) + 304 and 412 responses keeps now keep-alive connections alive (again httpdx is more faster!) v1.3.5 --- ! Exploitable bug fixed: forbidden files was accessable by adding e.g. ?&&i==0 after request uri. NOTE: Now "&" is "^&", "|" is "^|" and "=" is "^=" to avoid the "and/or" -exploit. This concerns only the script REQUEST_URI -variable. + Increased expression string buffer sizes + Added http.post_max_size + Fixed some site loading problems + Script interpreter speed increased bit + Pointer tables changed to structures to make code cleaner! v1.3.4 --- + 500 -errorpage updated + SetConsoleCtrlHandler ! Default value for ftp.pasv_min increased from 255 to 256 v1.3.3 --- ! ftp.pasv_min and ftp.pasv_max wasn't recognized since v. 1.3 + Added errors for invalid configuration variable values (preventing crash) v1.3.2 --- + Finally supporting HEAD -method + Support for If-Unmodified-Since and 412 -responses ! Removed additional "Location" -header in 301 -response + Added "Keep-Alive" -header for keep-alive connections + Added icons for html (totally forgotten), perl and python - Removed additional "." in directory list + Php icon changed v1.3.1 --- + Added ftp.text_connect and ftp.text_quit ! Stupid fatal bug fixed in daemon.cpp (caused by the last update) v1.3 --- + http.diricons values changed to URI. + Added FTP_REMOTE_ADDR -environment variable + Added REQUEST ENTITY TOO LARGE (413) -response ! LENGTH REQUIRED and INTERNAL SERVER ERROR was mixed together + Improvised script engine (same syntax) - http.dir_php, http.dir_perl, http.dir_php_ini, http.php_exts, http.perl_exts removed + Added http.handlers -array variable which allows to set your own handlers (including php + perl) + Responsing 500 (internal server error) when failed opening pipe or script has syntax error + Added page for 501 (not implemented) + Script strings can now include quotes by using ^" + Added http.exclude-exts -variable + Now removing root directory path from directory list title path, e.g. example.com/downloads -> /downloads ! Bug fixed: 401 error came before 404 v1.2 ---- + server.addr_retr is now server.wan + Added ftp.debug + Added http.redirect ! Bug fixed: 403 error came before 404 + Added few css files to resource.dll ! Fixed cgi's "Status" -header handling (still on development) ! Bug fixed: httpdx crashed when WAN IP retrieving enabled v1.1 ---- + Added support for If-Modified-Since + Added http.debug -variable + If -statement supporting now && (and) and || (or) ! Fixed bug in http.log -variable handling + Exit from main thread + Added "include" command line option + Added http.index-info -variable and "index description" -feature v1.0 ----- + First release (new httpdx (yes, "new", there was an older assembly))