SECURITY ALERT - WAR FTP DAEMON ALL VERSIONS

Updated February 4th 2000 13:30 Central European Time.

January 5th 2000, a seriuos security problem with War FTP Daemon 1.70 was reported by email. Two hours after I read the mail, a security alert was sent to the war-ftpd mailing list, the alt.comp.jgaa newsgroup and the bugtraq mailing list. The alert adviced all server operators to take the server off-line until further notice.

Brief overview

• War FTP Daemon 1.70: The bug allows unrestricted access to any file on the local machine also for users that have not logged on. If an older ODBC driver is installed, the bug also gives users unlimited access to all system commands, with administrator privileges (this is a bug in ODBC that has been fixed in recent versions). The advice is to take all version 1.70 servers off-line until the server is upgraded! A bugfix (War FTP Daemon 1.71) was released January 8th 2000 14:40 CET. This version is not completely tested yet. Please report any serious problems to jgaa@jgaa.com. I Will fix bugs in 1.70 over the next few weeks to make 1.70 a little more comfortable to use while we wait for version 3.
• War FTP Daemon 1.67b2 and previous versions: The bug may give privileged uses unrestricted access to some files. Users must be logged in, and have at least write or create permissions. Users can not execute commands. A bugfix was released less than 24 hours from I read the mail that reported the problem.

Buffer overflow problem in 1.6*

February 2nd 2000 there was reported a buffer-overflow problem in 1.6 versions on BUGTRAQ. The problem does not seem to compromise the security, but the server can easily be crashed by remote attackers, after they have logged in. A fix was released February 3rd 2000, about an hour after I read about the problem.

I'm sorry for any inconveniences caused by these problems.

General news

• War FTP Daemon 1.67. I will make a new full distribution for 1.67. Until this is ready, 1.65 must be installed, and then upgraded.
• War FTP Daemon 1.72 service release.  I will make a service release of the 1.70 series in the near future. Some annoying bugs will be fixed, and a command-line utility to add user accounts interactively, or from scripts, will be released. There will also be a simple DLL wrapper interface for easy integration with other software. 
• War FTP Daemon 3.0. The development of the next major release continues. 3.0 is currently running under Windows NT and Linux. The server is however not yet ready for alpha-testing. When all the basic functionality is implemented, and debugged, ftp://ftp.jgaa.com will open up, using version 3.0. This can be expected soon. Early versions for Windows 9x, Windows NT, Debian Linux and FreeBSD will be available for download. Version 3.0 will be Open Source, under the GNU Public License. 
• http://download.jgaa.com will open when War FTP Daemon 3.0 moves into early alpha. 

Download

• Download the latest upgrade in the 1.6* series ward167-4.zip
• Download the latest upgrade in the 1.7* series Ward171b02-experimental-I386.exe

Jarle