Vulnerability in WFTPD

We all make mistakes, and I made a mistake in a piece of code buried deep within WFTPD.

[Actually, I’ve made several mistakes, and there are certain to be a few I’ve yet to find.]

As a result, some sociopath has been able to release an “exploit” – a program that can be run against the WFTPD server that allows it to be broken into.

[Actually, the sociopath is not the first person to discover the flaw – “appsec.ch” notified me last month, and I’ve been bringing the new code up to scratch and testing it every spare minute since then, as well as testing workarounds.]

There’s never a good time to have a public disclosure of a vulnerability in your software, but the timing of most public disclosure addicts is impeccable – Thanksgiving, Christmas, weekends, vacations, these are all the most likely times for posting exploits, because that way, they can be distributed to the largest number of bad hackers, at a time when the fewest users will be looking for fixes.

This time, the exploit has come out at a time when we are in a spat with our ISP, 1&1 – they have disabled our password-protected directory support, so we aren’t able to provide downloads of registered software right now.

The best you can hope for with a vulnerability is that there is a workaround, while such issues are resolved, new versions are tested and before the final software can be deployed.

Sure enough, we have a workaround here.

For WFTPD Server, you will need to edit the WFTPD.INI file.  In the “[Server]” section, add a line that reads “GFPNMethod=0

For WFTPD Pro Server, edit the registry under “HKEY_LOCAL_MACHINE\Software\Texas Imperial Software\WFTPDPro\Servers\<ServerName>” [replace “<ServerName>” with the name of the server you’re editing – you will have to do this for each server]. Add a DWORD key called “GFPNMethod” and set its value (either decimal or hexadecimal) to 0.

Here’s the important part – restart WFTPD Server or the WFTPD Pro service (depending on whether you have WFTPD Server or WFTPD Pro Server). This is one of those rare settings that is loaded only when the server is first loaded from the registry.

The truly paranoid will want to restart the machine, just to be “safe”.

Once we get our ISP replaced, we’ll be shipping a new version, 3.24. In the meantime, please use the workaround listed above.

Leave a Reply

Your email address will not be published. Required fields are marked *