|
Softpanorama |
||||||
| Contents | Bulletin | Scripting in shell and Perl | Network troubleshooting | History | Humor | |
WU-FTPD (more fully wuarchive-ftpd, also frequently spelled in lowercase as wu-ftpd) is a FTP server which was a standard FTPD daemon in Solaris up to and including version 9 and HP-UX 9, 10 and 11. AIX and Linux do not use wu-ftpd. Development of codebase stopped in 2001. Now it can be considered to be abandonware althouth it is still used in HP-UX which maintains its own patches and enhancements of version 2.6.1 (should be viewed as a fork of the codebase).
It was originally written by Chris Myers and Bryan D. O'Connor in Washington University as a replacement of the BSD FTP daemon, for use in the Washington University network, primarily the large wuarchive site. Up to approximately year 2000 it was the most common FTP server in use, but now its rarely used. Linux distribution adopted two different ftp daemons:
One advantage of wu-ftpd is very rich and flexible configuration which makes it very attractive for sites that host large ftp archives.
For example, ftpaccess configuration file allows two very useful checks for DNS resolution of the coming connection IP blocking it if a reverse DNS lookup fails.
dns refuse_mismatch <filename> [ override ] dns refuse_no_reverse <filename> [ override]
One factor in wu-ftpd demise were security vulnerabilities. They were generally overblown by security jerks, but some were real. For example in 2001 the Ramen worm used WU-FTPD as one of the possible intrusion mechanisms.
WU-ftpd
The current version of WU-FTPD is 2.6.2 is dated by Released 29 Nov, 2001 and is available from ftp.wu-ftpd.org.
How-tos
Guest HOWTO
Describes the basics of setting up your FTP server for guest accounts. That is, to allow real Unix users to log in, but jail them in a chroot'd area.Lundberg's addendum to the Guest HOWTO from November, 2000
Describes how to tell you are actually using the ftpaccess file and one way of simplifying the setup of guest areas.TELNET Testing HOWTO
Describes how to use the telnet command to test your FTP server. Sometimes FTP clients can hide problems and doing away with them is the only way to see what's happening.Upload Configuration HOWTO
Describes the process and security considerations of allowing anonymous (and other) users to upload to your FTP server.
|
|
||||
| Bulletin | Latest | Past week | Past month |
|
HP
The File Transfer Protocol (FTP) enables you to transfer files between a client host system and a remote server host system. On the client system, a file transfer program provides a user interface to FTP; on the server, the requests are handled by the FTP daemon, ftpd. WU-FTPD is the FTP daemon for HP-UX systems. It is based on the replacement FTP daemon developed at Washington University. WU-FTPD 2.6.1 is the latest version of WU-FTPD available on the HP-UX 11i v1, HP-UX 11i v2, and HP-UX 11i v3 platforms.
The FTP client with SSL support is available for download from this page for the HP-UX 11i v2 operating system. Starting from May 2010, the WU-FTPD 2.6.1 bundle that you can download from this page contains the FTP daemon with SSL support for the HP-UX 11i v3 operating system.
Table 1: Latest WU-FTPD 2.6.1 Bundle Numbers
Product Version
NumberOperating System Bundle Version
NumberRelease Date WU-FPTD 2.6.1 Bundle Versions HP Revision: 1.014a HP-UX 11i v1 B.11.11.01.014 July 2010 HP Revision: 1.001a HP-UX 11i v2b B.11.23.01.001 September 2008 HP Revision: 6.0a HP-UX 11i v3b C.2.6.1.7.0 May 2011
IPv6-enabled version of WU-FTPD 2.6.1 available.
b The TLS/SSL feature is available for the HP-UX 11i v2 and HP-UX 11i v3 operating systems.WU-FTPD 2.6.1 offers the following features:
- Virtual hosts support
- The privatepw utility
- New clauses in the /etc/ftpd/ftpaccess file
- IPv6 support
- New command-line options
- New features related to data transfer
- New configuration file, /etc/ftpd/ftpservers
- A set of virtual domain configuration files used by ftp
WU-FTPD 2.6.1 for the HP-UX 11i v2 and HP-UX 11i v3 operating systems now supports the TLS/SSL feature. For more information on the TLS/SSL feature, see WU-FTPD 2.6.1 Release Notes on the HP Business Support Center.
IMPORTANT: The WU-FTPD 2.6.1 depot that you can download from this page is the TLS/SSL-enabled version of FTP. The core (default) HP-UX 11i v2 operating system still contains the non-TLS/SSL version of FTP. For patch updates to WU-FTPD 2.6.1 in the core HP-UX 11i v2 operating system, see http://itrc.hp.com
Compatibility Information
For HP-UX 11i v1 customers, WU-FTPD 2.6.1 adds new functionality to the already existing WU-FTPD 2.4 software, which is delivered as part of the core networking products on HP-UX 11i v1. For HP-UX 11.0, this version allows customers to upgrade to WU-FTPD 2.6.1 from either the legacy FTP version, which is delivered with the core networking products on HP-UX 11.0, or from WU-FTPD 2.4, which is available in the patch PHNE_21936.
Documentation
The following product documentation is available with WU-FTPD 2.6.1.Man Pages
The following man pages are distributed with the WU-FTPD 2.6.1 depot:
- ftp.1
- ftpd.1m
- ckconfig.1
- ftprestart.1
- ftpwho.1
- ftpcount.1
- ftpshut.1
- privatepw.1
- ftpaccess.4
- ftpgroups.4
- ftpservers.4
- ftpconversions.4
- ftpusers.4
- ftphosts.4
- xferlog.5
2003-07-31 | WU-FTPD Development Group
A vulnerability has been found in the current versions of WU-FTPD up to 2.6.2. Information describing the vulnerability is available from
Please apply the realpath.patch patch to WU-FTPD 2.6.2.
- Ciac bulletin n-132
- CVE can-2003-0466
- Redhat errata RHSA-2003-245 with updated packages
- isec.pl
This fixes an off-by-one error in the fb_realpath() function, as derived from the realpath function in BSD. It may allow attackers to execute arbitrary code, as demonstrated in wu-ftpd 2.5.0 through 2.6.2 via commands that cause pathnames of length MAXPATHLEN+1 to trigger a buffer overflow, including (1) STOR, (2) RETR, (3) APPE, (4) DELE, (5) MKD, (6) RMD, (7) STOU, or (8) RNTO.
Additionally, applying the connect-dos.patch is advised for all systems.
This patch fixes a possible denial of service attack on systems that allow only one non-connected socket bound to the same local address.
Additionally, applying the skeychallenge.patch is advised strongly for systems using S/Key logins.
This patch fixes a stack overflow in the S/Key login handling.
Requirements: wu-ftpd 2.6.0
/etc/ftpaccess
First, you need to add an additional class for users that are allowed to do FXP (unless you just want to use the predefined class "all"). If you add a new class, this line MUST be before the catch-all class "all", or the client will match class "all" first.
The line is of the form:
class {ArbitraryClassName} {AccessTypes} {HostAddrs} [HostAddrs]Then you add lines to allow PASV and PORT commands to hosts whose IPs don't match the client (to allow FXP)
These lines are of the form:
port-allow {ArbitraryClassName} {HostAddrs}
pasv-allow {ArbitraryClassName} {HostAddrs}
Example
class newclass real,guest,anonymous *.mydomain.net
*.more.client.addresses.com
class all real,guest,anonymous *port-allow newclass 0.0.0.0/0
pasv-allow newclass 0.0.0.0/0This basically adds a new class (creatively called "newclass") - note that it appears BEFORE the line containing the class "all" - this new class contains all hosts in the subdomains mydomain.net and more.client.addresses.com (domains obviously made up by yours truly), in order to limit who we will allow to do FXP. The port-allow and pasv-allow lines basically allow FXP connections to anywhere if your client is in the class "newclass".
Jan 14, 2001 | Linux Today
WireX discovered a temporary file creation bug in the 2.6.1 release of wu-ftpd. The problem exists in the privatepw helper program. As well, Linux-Mandrake 7.2 users must update to this package as it fixes security problems as discussed in the prior advisory, MDKSA-2000:014, which had not been previously addressed for 7.2.
All of the updated packages for Linux Mandrake versions 6.0 through 7.1 and the packages for Corporate Server 1.0.1 had an incorrect dependency on the xinetd package which prevented MandrakeUpdate from installing the updates. Updated packages for these versions have been released that are no longer dependant upon xinetd.
This release fixes the recent root compromise problems discovered in version 2.6.0, and includes other fixes and improvements.
"Wuarchive-ftpd, more affectionately known as wu-ftpd, is a replacement ftp daemon for Unix systems developed at Washington University. wu-ftpd is the most popular ftp daemon on the Internet, used on many anonymous ftp sites all around the world."
Check the relevant links and changes history at AppWatch.com.
We are working on a new release that fixes this and some other problems. Some Linux vendors (redhat and debian) have already released their patches. source patch is available in the quickfixes directory for release 2.6.0.
WU-FTPD - Wikipedia, the free encyclopedia
WU-FTPD Development Group -- official site
WU-FTPD Server Software -- mirror
How-To Guide for wu-ftpd on Solaris 2.x
Securing an Anonymous FTP Server in Solaris 8 with WU-FTPD
BigAdmin Description - WU-FTPD
Frequently Asked Questions about wu-ftpd Also at Frequently Asked Questions about wu-ftpd
Securing an Anonymous FTP Server in Solaris 8 with WU-FTPD
Digest Name: Daily Security Bulletins Digest
Created: Mon Dec 13 3:00:05 PST 1999
Table of Contents:
Document ID Title
--------------- -----------
HPSBUX9912-106 Security Vulnerability in wu-ftp
The documents are listed below.
-------------------------------------------------------------------------------
Document ID: HPSBUX9912-106
Date Loaded: 19991212
Title: Security Vulnerability in wu-ftp
-------------------------------------------------------------------------
HEWLETT-PACKARD COMPANY SECURITY BULLETIN: #00106, 13 Dec. 1999
-------------------------------------------------------------------------
The information in the following Security Bulletin should be acted upon
as soon as possible. Hewlett-Packard Company will not be liable for any
consequences to any customer resulting from customer's failure to fully
implement instructions in this Security Bulletin as soon as possible.
-------------------------------------------------------------------------
PROBLEM: Multiple vulnerabilities in wu-ftp software.
PLATFORM: HP9000 series 7/800 servers running HP-UX release 11.00 only.
DAMAGE: Any user can gain root privileges.
SOLUTION: Apply the patch noted below.
AVAILABILITY: The patch is available now.
-------------------------------------------------------------------------
I.
A. Background
Starting with HP-UX release 11.00, Hewlett-Packard has made
available the ported wu-ftp code. There are buffer overruns in
the wu-ftpd plus corrections to other client functionality as
mentioned in AUSCERT AA-1999.02 Advisory, dated 19 October 1999.
See www.auscert.org.au.
HP-UX release 10.20 supports only our legacy ftp and is not affected.
Release 11.00 is, however, vulnerable and needs this patch. Our
patch addresses the vulnerabilities that have been fixed in the
2.6.0 release of wu-ftpd which has been made available by the
WU-FTPD Development Group.
B. Fixing the problem - Install patch PHNE_18377.
C. To subscribe to automatically receive future NEW HP Security
Bulletins from the HP IT Resource Center via electronic mail,
do the following:
Use your browser to get to the HP IT Resource Center page
at:
http://us-support.external.hp.com
(for US, Canada, Asia-Pacific, & Latin-America)
http://europe-support.external.hp.com (for Europe)
Under the Maintenance and Support Menu (Electronic Support Center):
click on the "more..." link. Then -
To -subscribe- to future HP Security Bulletins, or
To -review- bulletins already released
click on "Support Information Digests" near the bottom of the
page, under "Notifications".
Login with your user ID and password (or register for one).
(Remember to save the User ID assigned to you, and your password).
On the "Support Information Digest Main" page:
click on the "HP Security Bulletin Archive".
Once in the archive the third link is to our current Security
Patch Matrix. Updated daily, this matrix categorizes security
patches by platform/OS release, and by bulletin topic.
The security patch matrix is also available via anonymous ftp:
us-ffs.external.hp.com
~ftp/export/patches/hp-ux_patch_matrix
D. To report new security vulnerabilities, send email to
security-alert@hp.com
Please encrypt any exploit information using the security-alert
PGP key, available from your local key server, or by sending a
message with a -subject- (not body) of 'get key' (no quotes) to
security-alert@hp.com.
Permission is granted for copying and circulating this Bulletin to
Hewlett-Packard (HP) customers (or the Internet community) for the
purpose of alerting them to problems, if and only if, the Bulletin
is not edited or changed in any way, is attributed to HP, and
provided such reproduction and/or distribution is performed for
non-commercial purposes.
Any other use of this information is prohibited. HP is not liable
for any misuse of this information by any third party.
|
|
||||
| Bulletin | Latest | Past week | Past month |
|
CERT Advisory CA-2001-33 Multiple Vulnerabilities in WU-FTPD
Most popular humor pages:
Manifest of the Softpanorama IT Slacker Society : Ten Commandments of the IT Slackers Society : Computer Humor Collection : BSD Logo Story : The Cuckoo's Egg : C++ Humor : ARE YOU A BBS ADDICT? : Object oriented programmers of all nations : C Humor : Financial Humor : Financial Humor Bulletin, 2008 : Financial Humor Bulletin, 2010 : Richard Stallman Related Humor : Admin Humor : Perl-related Humor : Linus Torvalds Related humor : PseudoScience Related Humor : Networking Humor : Shell Humor: Financial Humor Bulletin, 2011 : Financial Humor Bulletin, 2012 : Financial Humor Bulletin, 2013 : Java Humor : Software Engineering Humor : Sun Solaris Related Humor : The Most Comprehensive Collection of Editor-related Humor : Microsoft plans to buy Catholic Church : Education Humor : IBM Humor : Assembler-related Humor : VIM Humor Computer Viruses Humor : Bright tomorrow is rescheduled to a day after tomorrow : Classic Computer Humor : Best Russian Programmer Humor : Russian Musical Humor : The Perl Purity Test : Politically Incorrect Humor : GPL-related Humor : OFM Humor : IDS Humor : Real Programmers Humor : Scripting Humor : Web Humor : Programming Language Humor : Goldman Sachs related humor : Greenspan humor :
Copyright © 1996-2013 by Dr. Nikolai Bezroukov. www.softpanorama.org was created as a service to the UN Sustainable Development Networking Programme (SDNP) in the author free time. This document is an industrial compilation designed and created exclusively for educational use and is distributed under the Softpanorama Content License. Site uses AdSense so you need to be aware of Google privacy policy. Original materials copyright belong to respective owners. Quotes are made for educational purposes only in compliance with the fair use doctrine. This is a Spartan WHYFF (We Help You For Free) site written by people for whom English is not a native language. Grammar and spelling errors should be expected. The site contain some broken links as it develops like a living tree...
|
|
You can use PayPal to make a contribution, supporting hosting of this site with different providers to distribute and speed up access. Currently there are two functional mirrors: softpanorama.info (the fastest) and softpanorama.net. |
Disclaimer:
The statements, views and opinions presented on this web page are those of the author and are not endorsed by, nor do they necessarily reflect, the opinions of the author present and former employers, SDNP or any other organization the author may be associated with. We do not warrant the correctness of the information provided or its fitness for any purpose.
Last modified: April 24, 2013