OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: (no subject)
From: Christian Antkow (xianIDSOFTWARE.COM)
Date: Tue Dec 05 2000 - 11:37:33 CST


  Rob Beckers of Cat Soft sent this out this morning.

  -Xian

---

Dear Serv-U User, A new version of FTP Serv-U, v2.5i, is available from http://ftpserv-u.deerfield.com/download/getftpservu.cfm Your current registration key should work fine with the new version. To upgrade simply unzip the file SUSETUP.ZIP and run the SETUP.EXE program. This should automagically find your current installation and update it. A note of warning: Do *not* uninstall Serv-U before upgrading! Uninstalling will wipe out your settings and registration information. Of course, it is always a good idea to first make a backup of your Serv-U directory before upgrading (all your settings and registration key are in the SERV-U.INI file, by default this is in c:\program files\serv-u\)! The main reason for this release is a VERY NASTY SECURITY BUG. Pardon the caps but I needed to get your attention. Upgrading to v2.5i is not just recommended but almost a necessity if your FTP server is on the Internet! The bug involves the use of paths like "/..%20.". You can test for yourself by setting up a test account with some subdirectory as its homedir and "show paths relative ..." enabled. Log in using the command line client, then type "cd /..%20." (no quotes) and you'll suddenly find yourself one above the homedir with the same access as the homedir. These paths can be combined to reach anything on the drive. Works for accounts that do not have "show paths relative ..." as well, just a little more tricky. Works without using the '%20' (=space) in the path as well, but again that's a little harder. In other words, this really is a serious security problem. I heard about it yesterday morning. A fix was ready by afternoon and the Q&A people did some testing on it later yesterday. As far as I know it has not been publicized yet but this will happen in a few days. That means once it's known there will be hackers scowering the Internet for old versions of Serv-U to break in. This bug has been present in all versions since v2.4. For a complete list of changes please see the VERSION.TXT file which is available on the FTP site and part of the Serv-U installation. The beta version 3.0 has the exact same bug. I've also produced a fix for that, build 6, it is available from ftp://ftp.cat-soft.com/beta. A separate announcement will go out to the beta list. Happy transfers! Rob -/- --- This message was entirely written using recycled electrons --- All about FTP Serv-U v2.5i: http://www.ftpserv-u.com FTP Serv-U list: http://www.ftpserv-u.com/helpdesk/mailinglist.htm