================================================================================ Delphis Consulting Plc ================================================================================ Security Team Advisories [31/05/2000] securityteam@delphisplc.com [http://www.delphisplc.com/thinking/whitepapers/] ================================================================================ Adv : DST2K0009 Title : Userlisting Bug in Ipswitch WS_FTP Server 1.05E Author : DCIST (securityteam@delphisplc.com) O/S : Microsoft Windows NT v4.0 Server (SP5) Product : Ipswitch WS_FTP Server 1.05E Date : 31/05/2000 I. Description II. Solution III. Disclaimer ================================================================================ I. Description ================================================================================ Severity: Low An attacker using the "USER" command with a very long name, approximately 1000 characters, can confuse the Server Manager in certain circumstances. If the site administrator connects remotely using the Server Manager, and then views the Session Manager before expanding the tree, Server Manager cannot properly administer the site during that connection. Invalid objects, or no objects will appear in the tree, and the Session Manager may not display all users currently logged in. If the site administrator opens the tree before viewing the Session Manager, only the Session Manager data will be incorrect. Typically this manifests itself as an inability to show all users currently connected to the site being administered. Attempting to refresh the Session Manager whilst it is in this confused state leads to the Session Manager not displaying any users on the site being administered. Note that all detail still appears correctly logged in WS_FTP's log files. II. Solution ================================================================================ Vendor Status: Informed Currently there is no vendor patch available but the following is a working around Delphis Consulting Internet Security Team would for users running this service. The workaround is to kill the invalid username the FIRST time Session Manager is invoked. Disconnecting and reconnecting to the remote site should then allow normal administration. It is possible that this procedure would need to be followed several times for each invalid username. III. Disclaimer ================================================================================ THE INFORMATION CONTAINED IN THIS ADVISORY IS BELIEVED TO BE ACCURATE AT THE TIME OF PRINTING, BUT NO REPRESENTATION OR WARRANTY IS GIVEN, EXPRESS OR IMPLIED, AS TO ITS ACCURACY OR COMPLETENESS. NEITHER THE AUTHOR NOR THE PUBLISHER ACCEPTS ANY LIABILITY WHATSOEVER FOR ANY DIRECT, INDIRECT OR CONSEQUENTIAL LOSS OR DAMAGE ARISING IN ANY WAY FROM ANY USE OF, OR RELIANCE PLACED ON, THIS INFORMATION FOR ANY PURPOSE. ================================================================================