||Home : Advisories : Serious security vulnerabilities in Serv-U FTP Software|
||Serious security vulnerabilities in Serv-U FTP Software
||6th December 2000
Dear Serv-U User,
A new version of FTP Serv-U, v2.5i, is available from
Your current registration key should work fine with the new version. To
upgrade simply unzip the file SUSETUP.ZIP and run the SETUP.EXE program.
This should automagically find your current installation and update it. A
note of warning: Do *not* uninstall Serv-U before upgrading! Uninstalling
will wipe out your settings and registration information. Of course, it is
always a good idea to first make a backup of your Serv-U directory before
upgrading (all your settings and registration key are in the SERV-U.INI
file, by default this is in c:\program files\serv-u\)!
The main reason for this release is a VERY NASTY SECURITY BUG. Pardon the
caps but I needed to get your attention. Upgrading to v2.5i is not just
recommended but almost a necessity if your FTP server is on the Internet!
The bug involves the use of paths like "/..%20.". You can test for yourself
by setting up a test account with some subdirectory as its homedir and
"show paths relative ..." enabled. Log in using the command line client,
then type "cd /..%20." (no quotes) and you'll suddenly find yourself one
above the homedir with the same access as the homedir. These paths can be
combined to reach anything on the drive. Works for accounts that do not
have "show paths relative ..." as well, just a little more tricky. Works
without using the '%20' (=space) in the path as well, but again that's a
little harder. In other words, this really is a serious security problem. I
heard about it yesterday morning. A fix was ready by afternoon and the Q&A
people did some testing on it later yesterday. As far as I know it has not
been publicized yet but this will happen in a few days. That means once
it's known there will be hackers scowering the Internet for old versions of
Serv-U to break in. This bug has been present in all versions since v2.4.
For a complete list of changes please see the VERSION.TXT file which is
available on the FTP site and part of the Serv-U installation.
The beta version 3.0 has the exact same bug. I've also produced a fix for
that, build 6, it is available from http://ftp.cat-soft.com/beta. A separate
announcement will go out to the beta list.
--- This message was entirely written using recycled electrons ---
All about FTP Serv-U v2.5i: http://www.ftpserv-u.com
FTP Serv-U list: http://www.ftpserv-u.com/helpdesk/mailinglist.htm