January 5th 2000, a serious security problem with War FTP Daemon
1.70 was reported by email. Two hours after I read the mail,
a security alert was sent to the war-ftpd mailing list,
the alt.comp.jgaa newsgroup and the bugtraq mailing list.
The alert advised all server operators to take the server
off-line until further notice.
Brief overview:
*War FTP Daemon 1.70: The bug allows unrestricted access
to any file on the local machine also for users
that have not logged on. If an older ODBC driver
is installed, the bug also gives users unlimited
access to all system commands, with administrator
privileges (this is a bug in ODBC that has been
fixed in recent versions). The advice is to take
all version 1.70 servers off-line until the server
is upgraded! A bugfix (War FTP Daemon 1.71) was
released january 8th 2000 14:40 CET.
*War FTP Daemon 1.67b2 and previous versions: The bug may
give privileged uses unrestricted access to some
files. Users must be logged in, and have at least
write or create permissions. Users can not
execute commands. A bugfix was released less than
24 hours from I read the mail that reported the problem.
Bugfixes are released at:
ftp://ftp.no.jgaa.com
The latest information about this problem can be found at:
http://war.jgaa.com/alert/
Jarle Aase