There are a number of V8.50 bug fixes in SVN and the overnight zip, including a potential security risk in the FTP server, found during a PCI DSS scan of my public server.
OverbyteIcsFtpSrv.pas Stopped LIST/RETV using ..\..\..\ (already stopped for CWD) This fixes a potential security risk that allowed indexing of directories higher than the root. This was exposed by an extensive PCI vulnerability test against the ICS server, with commands like: < CWD ..//..//..//..//..//..//..//..//..//..//..//..// > 501 CWD failed. Cannot accept relative path using dot notation - good!! < CWD ..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c Bad!! LIST ..\..\..\..\..\..\ < 150 Opening data connection for directory list. - bad!! < RETR ..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\etc/passwd Build File Path, Directory: d:\websites\magsys\www.magsys.co.uk\download\.. \\..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\etc\passwd - bad!! OverbyteIcsWSocket.pas LoadFromP12File correctly supports croYes as well as croTry, this relates to loading P12/PFX SSL certificates that include a private key and/or intermediates. OverbyteIcsWSocketS.pas Minor clean up of IcsHosts stuff. OverbyteIcsHttpSrv.pas Fixed bug setting WebRedirectStat in IcsHosts. Fixed bug that first IcsHost could not be SSL (really annoying). Internal FSslEnable now FHttpSslEnable to ease confusion. OverbyteIcsHttpAppServer.pas Corrected onSslServerName to OnSslServerName to keep C++ happy. OverbyteIcsMimeUtils.pas TMimeTypesList always adds major missing standard MIME types after other methods to avoid unknown types. AddContentType has option to ignore duplicate extensions to avoid changing previous ones. OverbyteIcsSnmpCli.pas OverbyteIcsSnmpMsgs.pas nicodeIntoAnsiToString now checks for binary string and converts them to hex, thanks to xl...@sina.com -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be
