Softpanorama

May the source be with you, but remember the KISS principle ;-)
Home Switchboard Unix Administration Red Hat TCP/IP Networks Neoliberalism Toxic Managers
(slightly skeptical) Educational society promoting "Back to basics" movement against IT overcomplexity and  bastardization of classic Unix

WU-FTPD

News

Books Recommended Links FTP Protocol FXP Troubleshooting of ftp connections FAQs

Ftp Filesystems

NetDrive Mirroring Tools FTP Security FTP over weak links FTP by mail Web publishing
Free FTP clients for Windows Filezilla Total Commander FAR Midnight commander Command line controlled FTP clients WebDrive
wu-ftpd ProFTPD pure ftpd vsftp Tips Humor Etc

WU-FTPD (more fully wuarchive-ftpd, also frequently spelled in lowercase as wu-ftpd) is a FTP server which was a standard FTPD daemon in Solaris up to and including version 9 and HP-UX 9, 10 and 11. AIX and Linux do not use wu-ftpd. Development of codebase stopped in 2001. Now it can be considered to be abandonware althouth it is still used in HP-UX which maintains its own patches and enhancements of version  2.6.1 (should be viewed as a fork of the codebase). 

It was originally written by Chris Myers and Bryan D. O'Connor in Washington University as a replacement of the BSD FTP daemon, for use in the Washington University network, primarily the large wuarchive site. Up to approximately year 2000 it was the most common FTP server in use, but now its rarely used. Linux distribution adopted two different ftp daemons:

One advantage of wu-ftpd is very rich and flexible configuration which makes it very attractive for sites that host large ftp archives.

For example, ftpaccess configuration file allows two very useful checks for DNS resolution of the coming connection IP blocking it if a reverse DNS lookup fails.

dns refuse_mismatch <filename> [ override ]
dns refuse_no_reverse <filename> [ override]

One factor in wu-ftpd demise were security vulnerabilities. They were generally overblown by security jerks, but some were real. For example in 2001 the Ramen worm used WU-FTPD as one of the possible intrusion mechanisms.

WU-ftpd

The current version of WU-FTPD is 2.6.2 is dated by Released 29 Nov, 2001 and is available from ftp.wu-ftpd.org.

How-tos

Guest HOWTO
Describes the basics of setting up your FTP server for guest accounts. That is, to allow real Unix users to log in, but jail them in a chroot'd area.

Lundberg's addendum to the Guest HOWTO from November, 2000
Describes how to tell you are actually using the ftpaccess file and one way of simplifying the setup of guest areas.

TELNET Testing HOWTO
Describes how to use the telnet command to test your FTP server. Sometimes FTP clients can hide problems and doing away with them is the only way to see what's happening.

Upload Configuration HOWTO
Describes the process and security considerations of allowing anonymous (and other) users to upload to your FTP server.


Top Visited
Switchboard
Latest
Past week
Past month

NEWS CONTENTS

Old News ;-)

[Oct 31, 2011] WU-FTPD 2.6.1 Special Release

HP

The File Transfer Protocol (FTP) enables you to transfer files between a client host system and a remote server host system. On the client system, a file transfer program provides a user interface to FTP; on the server, the requests are handled by the FTP daemon, ftpd. WU-FTPD is the FTP daemon for HP-UX systems. It is based on the replacement FTP daemon developed at Washington University. WU-FTPD 2.6.1 is the latest version of WU-FTPD available on the HP-UX 11i v1, HP-UX 11i v2, and HP-UX 11i v3 platforms.

The FTP client with SSL support is available for download from this page for the HP-UX 11i v2 operating system. Starting from May 2010, the WU-FTPD 2.6.1 bundle that you can download from this page contains the FTP daemon with SSL support for the HP-UX 11i v3 operating system.

Table 1: Latest WU-FTPD 2.6.1 Bundle Numbers

Product Version
Number
Operating System Bundle Version
Number
Release Date
WU-FPTD 2.6.1 Bundle Versions
HP Revision: 1.014a HP-UX 11i v1 B.11.11.01.014 July 2010
HP Revision: 1.001a HP-UX 11i v2b B.11.23.01.001 September 2008
HP Revision: 6.0a HP-UX 11i v3b C.2.6.1.7.0 May 2011

IPv6-enabled version of WU-FTPD 2.6.1 available.
b The TLS/SSL feature is available for the HP-UX 11i v2 and HP-UX 11i v3 operating systems.

WU-FTPD 2.6.1 offers the following features:

WU-FTPD 2.6.1 for the HP-UX 11i v2 and HP-UX 11i v3 operating systems now supports the TLS/SSL feature. For more information on the TLS/SSL feature, see WU-FTPD 2.6.1 Release Notes on the HP Business Support Center.


IMPORTANT: The WU-FTPD 2.6.1 depot that you can download from this page is the TLS/SSL-enabled version of FTP. The core (default) HP-UX 11i v2 operating system still contains the non-TLS/SSL version of FTP. For patch updates to WU-FTPD 2.6.1 in the core HP-UX 11i v2 operating system, see http://itrc.hp.com

Compatibility Information

For HP-UX 11i v1 customers, WU-FTPD 2.6.1 adds new functionality to the already existing WU-FTPD 2.4 software, which is delivered as part of the core networking products on HP-UX 11i v1. For HP-UX 11.0, this version allows customers to upgrade to WU-FTPD 2.6.1 from either the legacy FTP version, which is delivered with the core networking products on HP-UX 11.0, or from WU-FTPD 2.4, which is available in the patch PHNE_21936.

Documentation

The following product documentation is available with WU-FTPD 2.6.1.

Man Pages

The following man pages are distributed with the WU-FTPD 2.6.1 depot:

[Oct 29, 2011] WU-FTPD Development Group

2003-07-31 | WU-FTPD Development Group

A vulnerability has been found in the current versions of WU-FTPD up to 2.6.2. Information describing the vulnerability is available from

Please apply the realpath.patch patch to WU-FTPD 2.6.2.

This fixes an off-by-one error in the fb_realpath() function, as derived from the realpath function in BSD. It may allow attackers to execute arbitrary code, as demonstrated in wu-ftpd 2.5.0 through 2.6.2 via commands that cause pathnames of length MAXPATHLEN+1 to trigger a buffer overflow, including (1) STOR, (2) RETR, (3) APPE, (4) DELE, (5) MKD, (6) RMD, (7) STOU, or (8) RNTO.

Additionally, applying the connect-dos.patch is advised for all systems.

This patch fixes a possible denial of service attack on systems that allow only one non-connected socket bound to the same local address.

Additionally, applying the skeychallenge.patch is advised strongly for systems using S/Key logins.

This patch fixes a stack overflow in the S/Key login handling.

[Oct 31, 2001] Setting up servers for FXP

To configure wu-ftpd to allow FXP

Requirements: wu-ftpd 2.6.0

/etc/ftpaccess

First, you need to add an additional class for users that are allowed to do FXP (unless you just want to use the predefined class "all"). If you add a new class, this line MUST be before the catch-all class "all", or the client will match class "all" first.

The line is of the form:

class {ArbitraryClassName} {AccessTypes} {HostAddrs} [HostAddrs]

Then you add lines to allow PASV and PORT commands to hosts whose IPs don't match the client (to allow FXP)

These lines are of the form:
port-allow {ArbitraryClassName} {HostAddrs}
pasv-allow {ArbitraryClassName} {HostAddrs}

Example

class newclass real,guest,anonymous *.mydomain.net
*.more.client.addresses.com
class all real,guest,anonymous *

port-allow newclass 0.0.0.0/0
pasv-allow newclass 0.0.0.0/0

This basically adds a new class (creatively called "newclass") - note that it appears BEFORE the line containing the class "all" - this new class contains all hosts in the subdomains mydomain.net and more.client.addresses.com (domains obviously made up by yours truly), in order to limit who we will allow to do FXP. The port-allow and pasv-allow lines basically allow FXP connections to anywhere if your client is in the class "newclass".

[Jan 14, 2001] Linux-Mandrake Security Update Advisory wu-ftpd update

Jan 14, 2001 | Linux Today

WireX discovered a temporary file creation bug in the 2.6.1 release of wu-ftpd. The problem exists in the privatepw helper program. As well, Linux-Mandrake 7.2 users must update to this package as it fixes security problems as discussed in the prior advisory, MDKSA-2000:014, which had not been previously addressed for 7.2.

All of the updated packages for Linux Mandrake versions 6.0 through 7.1 and the packages for Corporate Server 1.0.1 had an incorrect dependency on the xinetd package which prevented MandrakeUpdate from installing the updates. Updated packages for these versions have been released that are no longer dependant upon xinetd.

[July 7, 2000] CERT has issued an advisory concerning WU-FTPD and all ftp daemons derived from BSD's final release.

[July 2, 2000] WU-FTPD 2.6.1 has been released. Download it from the distribution site or one of the world-wide mirrors.

This release fixes the recent root compromise problems discovered in version 2.6.0, and includes other fixes and improvements.

"Wuarchive-ftpd, more affectionately known as wu-ftpd, is a replacement ftp daemon for Unix systems developed at Washington University. wu-ftpd is the most popular ftp daemon on the Internet, used on many anonymous ftp sites all around the world."

Check the relevant links and changes history at AppWatch.com.

[June 26, 2000] AUSCERT Advisory AA-2000.02 recommends upgrading to 2.6.0 and applying the patch.

[June 22, 2000] a new exploit for wu-ftpd was published.

We are working on a new release that fixes this and some other problems. Some Linux vendors (redhat and debian) have already released their patches. source patch is available in the quickfixes directory for release 2.6.0.


Recommended Links

WU-FTPD - Wikipedia, the free encyclopedia

WU-FTPD Development Group -- official site

WU-FTPD Server Software -- mirror

Resource Center

How-To Guide for wu-ftpd on Solaris 2.x

Securing an Anonymous FTP Server in Solaris 8 with WU-FTPD

BigAdmin Description - WU-FTPD


Reference

WU-FTPD man pages

Frequently Asked Questions about wu-ftpd Also at Frequently Asked Questions about wu-ftpd

HOWTO guides

FTP and related RFCs

Securing an Anonymous FTP Server in Solaris 8 with WU-FTPD



Digest Name:  Daily Security Bulletins Digest
    Created:  Mon Dec 13  3:00:05 PST 1999

Table of Contents:

Document ID      Title
---------------  -----------
HPSBUX9912-106   Security Vulnerability in wu-ftp

The documents are listed below.
-------------------------------------------------------------------------------

Document ID:  HPSBUX9912-106
Date Loaded:  19991212
      Title:  Security Vulnerability in wu-ftp

-------------------------------------------------------------------------
    HEWLETT-PACKARD COMPANY SECURITY BULLETIN: #00106, 13 Dec. 1999
-------------------------------------------------------------------------

The information in the following Security Bulletin should be acted upon
as soon as possible.  Hewlett-Packard Company will not be liable for any
consequences to any customer resulting from customer's failure to fully
implement instructions in this Security Bulletin as soon as possible.

-------------------------------------------------------------------------
PROBLEM:  Multiple vulnerabilities in wu-ftp software.

PLATFORM: HP9000 series 7/800 servers running HP-UX release 11.00 only.

DAMAGE:   Any user can gain root privileges.

SOLUTION: Apply the patch noted below.

AVAILABILITY:  The patch is available now.

-------------------------------------------------------------------------
I.
   A. Background
      Starting with HP-UX release 11.00, Hewlett-Packard has made
      available the ported wu-ftp code.  There are buffer overruns in
      the wu-ftpd plus corrections to other client functionality as
      mentioned in AUSCERT AA-1999.02 Advisory, dated 19 October 1999.
      See www.auscert.org.au.

      HP-UX release 10.20 supports only our legacy ftp and is not affected.
      Release 11.00 is, however, vulnerable and needs this patch.  Our
      patch addresses the vulnerabilities that have been fixed in the
      2.6.0 release of wu-ftpd which has been made available by the
      WU-FTPD Development Group.

   B. Fixing the problem - Install patch PHNE_18377.

   C. To subscribe to automatically receive future NEW HP Security
      Bulletins from the HP IT Resource Center via electronic mail,
      do the following:

      Use your browser to get to the HP IT Resource Center page
      at:

        http://us-support.external.hp.com
               (for US, Canada, Asia-Pacific, & Latin-America)
        http://europe-support.external.hp.com     (for Europe)

      Under the Maintenance and Support Menu (Electronic Support Center):
        click on the "more..." link.  Then -

      To -subscribe- to future HP Security Bulletins, or
      To -review- bulletins already released
        click on "Support Information Digests" near the bottom of the
        page, under "Notifications".

      Login with your user ID and password (or register for one).
      (Remember to save the User ID assigned to you, and your password).

      On the "Support Information Digest Main" page:
      click on the "HP Security Bulletin Archive".

      Once in the archive the third link is to our current Security
      Patch Matrix.  Updated daily, this matrix categorizes security
      patches by platform/OS release, and by bulletin topic.

      The security patch matrix is also available via anonymous ftp:

      us-ffs.external.hp.com
      ~ftp/export/patches/hp-ux_patch_matrix

   D. To report new security vulnerabilities, send email to

       [email protected]

      Please encrypt any exploit information using the security-alert
      PGP key, available from your local key server, or by sending a
      message with a -subject- (not body) of 'get key' (no quotes) to
      [email protected].

     Permission is granted for copying and circulating this Bulletin to
     Hewlett-Packard (HP) customers (or the Internet community) for the
     purpose of alerting them to problems, if and only if, the Bulletin
     is not edited or changed in any way, is attributed to HP, and
     provided such reproduction and/or distribution is performed for
     non-commercial purposes.

     Any other use of this information is prohibited. HP is not liable
     for any misuse of this information by any third party.



Etc

Society

Groupthink : Two Party System as Polyarchy : Corruption of Regulators : Bureaucracies : Understanding Micromanagers and Control Freaks : Toxic Managers :   Harvard Mafia : Diplomatic Communication : Surviving a Bad Performance Review : Insufficient Retirement Funds as Immanent Problem of Neoliberal Regime : PseudoScience : Who Rules America : Neoliberalism  : The Iron Law of Oligarchy : Libertarian Philosophy

Quotes

War and Peace : Skeptical Finance : John Kenneth Galbraith :Talleyrand : Oscar Wilde : Otto Von Bismarck : Keynes : George Carlin : Skeptics : Propaganda  : SE quotes : Language Design and Programming Quotes : Random IT-related quotesSomerset Maugham : Marcus Aurelius : Kurt Vonnegut : Eric Hoffer : Winston Churchill : Napoleon Bonaparte : Ambrose BierceBernard Shaw : Mark Twain Quotes

Bulletin:

Vol 25, No.12 (December, 2013) Rational Fools vs. Efficient Crooks The efficient markets hypothesis : Political Skeptic Bulletin, 2013 : Unemployment Bulletin, 2010 :  Vol 23, No.10 (October, 2011) An observation about corporate security departments : Slightly Skeptical Euromaydan Chronicles, June 2014 : Greenspan legacy bulletin, 2008 : Vol 25, No.10 (October, 2013) Cryptolocker Trojan (Win32/Crilock.A) : Vol 25, No.08 (August, 2013) Cloud providers as intelligence collection hubs : Financial Humor Bulletin, 2010 : Inequality Bulletin, 2009 : Financial Humor Bulletin, 2008 : Copyleft Problems Bulletin, 2004 : Financial Humor Bulletin, 2011 : Energy Bulletin, 2010 : Malware Protection Bulletin, 2010 : Vol 26, No.1 (January, 2013) Object-Oriented Cult : Political Skeptic Bulletin, 2011 : Vol 23, No.11 (November, 2011) Softpanorama classification of sysadmin horror stories : Vol 25, No.05 (May, 2013) Corporate bullshit as a communication method  : Vol 25, No.06 (June, 2013) A Note on the Relationship of Brooks Law and Conway Law

History:

Fifty glorious years (1950-2000): the triumph of the US computer engineering : Donald Knuth : TAoCP and its Influence of Computer Science : Richard Stallman : Linus Torvalds  : Larry Wall  : John K. Ousterhout : CTSS : Multix OS Unix History : Unix shell history : VI editor : History of pipes concept : Solaris : MS DOSProgramming Languages History : PL/1 : Simula 67 : C : History of GCC developmentScripting Languages : Perl history   : OS History : Mail : DNS : SSH : CPU Instruction Sets : SPARC systems 1987-2006 : Norton Commander : Norton Utilities : Norton Ghost : Frontpage history : Malware Defense History : GNU Screen : OSS early history

Classic books:

The Peter Principle : Parkinson Law : 1984 : The Mythical Man-MonthHow to Solve It by George Polya : The Art of Computer Programming : The Elements of Programming Style : The Unix Hater’s Handbook : The Jargon file : The True Believer : Programming Pearls : The Good Soldier Svejk : The Power Elite

Most popular humor pages:

Manifest of the Softpanorama IT Slacker Society : Ten Commandments of the IT Slackers Society : Computer Humor Collection : BSD Logo Story : The Cuckoo's Egg : IT Slang : C++ Humor : ARE YOU A BBS ADDICT? : The Perl Purity Test : Object oriented programmers of all nations : Financial Humor : Financial Humor Bulletin, 2008 : Financial Humor Bulletin, 2010 : The Most Comprehensive Collection of Editor-related Humor : Programming Language Humor : Goldman Sachs related humor : Greenspan humor : C Humor : Scripting Humor : Real Programmers Humor : Web Humor : GPL-related Humor : OFM Humor : Politically Incorrect Humor : IDS Humor : "Linux Sucks" Humor : Russian Musical Humor : Best Russian Programmer Humor : Microsoft plans to buy Catholic Church : Richard Stallman Related Humor : Admin Humor : Perl-related Humor : Linus Torvalds Related humor : PseudoScience Related Humor : Networking Humor : Shell Humor : Financial Humor Bulletin, 2011 : Financial Humor Bulletin, 2012 : Financial Humor Bulletin, 2013 : Java Humor : Software Engineering Humor : Sun Solaris Related Humor : Education Humor : IBM Humor : Assembler-related Humor : VIM Humor : Computer Viruses Humor : Bright tomorrow is rescheduled to a day after tomorrow : Classic Computer Humor

The Last but not Least Technology is dominated by two types of people: those who understand what they do not manage and those who manage what they do not understand ~Archibald Putt. Ph.D


Copyright © 1996-2021 by Softpanorama Society. www.softpanorama.org was initially created as a service to the (now defunct) UN Sustainable Development Networking Programme (SDNP) without any remuneration. This document is an industrial compilation designed and created exclusively for educational use and is distributed under the Softpanorama Content License. Original materials copyright belong to respective owners. Quotes are made for educational purposes only in compliance with the fair use doctrine.

FAIR USE NOTICE This site contains copyrighted material the use of which has not always been specifically authorized by the copyright owner. We are making such material available to advance understanding of computer science, IT technology, economic, scientific, and social issues. We believe this constitutes a 'fair use' of any such copyrighted material as provided by section 107 of the US Copyright Law according to which such material can be distributed without profit exclusively for research and educational purposes.

This is a Spartan WHYFF (We Help You For Free) site written by people for whom English is not a native language. Grammar and spelling errors should be expected. The site contain some broken links as it develops like a living tree...

You can use PayPal to to buy a cup of coffee for authors of this site

Disclaimer:

The statements, views and opinions presented on this web page are those of the author (or referenced source) and are not endorsed by, nor do they necessarily reflect, the opinions of the Softpanorama society. We do not warrant the correctness of the information provided or its fitness for any purpose. The site uses AdSense so you need to be aware of Google privacy policy. You you do not want to be tracked by Google please disable Javascript for this site. This site is perfectly usable without Javascript.

Last modified: March 12, 2019