[ advisories | exploits | discussions | news | conventions | security tools | texts & papers ]
 main menu
- feedback
- advertising
- privacy
- FightAIDS
- newsletter
- news
 
 discussions
- read forum
- new topic
- search
 

 meetings
- meetings list
- recent additions
- add your info
 
 top 100 sites
- visit top sites
- sign up now
- members
 
 webmasters

- add your url
- add domain
- search box
- link to us

 
 projects
- our projects
- free email
 
 m4d network
- security software
- secureroot
- m4d.com
Home : Advisories : Serious security vulnerabilities in Serv-U FTP Software

Title: Serious security vulnerabilities in Serv-U FTP Software
Released by: Serv-U
Date: 6th December 2000
Printable version: Click here
Dear Serv-U User,

A new version of FTP Serv-U, v2.5i, is available from

http://ftpserv-u.deerfield.com/download/getftpservu.cfm

Your current registration key should work fine with the new version. To

upgrade simply unzip the file SUSETUP.ZIP and run the SETUP.EXE program.

This should automagically find your current installation and update it. A

note of warning: Do *not* uninstall Serv-U before upgrading! Uninstalling

will wipe out your settings and registration information. Of course, it is

always a good idea to first make a backup of your Serv-U directory before

upgrading (all your settings and registration key are in the SERV-U.INI

file, by default this is in c:\program files\serv-u\)!

The main reason for this release is a VERY NASTY SECURITY BUG. Pardon the

caps but I needed to get your attention. Upgrading to v2.5i is not just

recommended but almost a necessity if your FTP server is on the Internet!

The bug involves the use of paths like "/..%20.". You can test for yourself

by setting up a test account with some subdirectory as its homedir and

"show paths relative ..." enabled. Log in using the command line client,

then type "cd /..%20." (no quotes) and you'll suddenly find yourself one

above the homedir with the same access as the homedir. These paths can be

combined to reach anything on the drive. Works for accounts that do not

have "show paths relative ..." as well, just a little more tricky. Works

without using the '%20' (=space) in the path as well, but again that's a

little harder. In other words, this really is a serious security problem. I

heard about it yesterday morning. A fix was ready by afternoon and the Q&A

people did some testing on it later yesterday. As far as I know it has not

been publicized yet but this will happen in a few days. That means once

it's known there will be hackers scowering the Internet for old versions of

Serv-U to break in. This bug has been present in all versions since v2.4.

For a complete list of changes please see the VERSION.TXT file which is

available on the FTP site and part of the Serv-U installation.

The beta version 3.0 has the exact same bug. I've also produced a fix for

that, build 6, it is available from http://ftp.cat-soft.com/beta. A separate

announcement will go out to the beta list.

Happy transfers!

Rob

-/-

--- This message was entirely written using recycled electrons ---

All about FTP Serv-U v2.5i: http://www.ftpserv-u.com

FTP Serv-U list: http://www.ftpserv-u.com/helpdesk/mailinglist.htm








(C) 1999-2000 All rights reserved.