|
|
Home | Switchboard | Unix Administration | Red Hat | TCP/IP Networks | Neoliberalism | Toxic Managers |
| (slightly skeptical) Educational society promoting "Back to basics" movement against IT overcomplexity and bastardization of classic Unix | |||||||
|
|
WU-FTPD (more fully wuarchive-ftpd, also frequently spelled in lowercase as wu-ftpd) is a FTP server which was a standard FTPD daemon in Solaris up to and including version 9 and HP-UX 9, 10 and 11. AIX and Linux do not use wu-ftpd. Development of codebase stopped in 2001. Now it can be considered to be abandonware althouth it is still used in HP-UX which maintains its own patches and enhancements of version 2.6.1 (should be viewed as a fork of the codebase).
|
|
It was originally written by Chris Myers and Bryan D. O'Connor in Washington University as a replacement of the BSD FTP daemon, for use in the Washington University network, primarily the large wuarchive site. Up to approximately year 2000 it was the most common FTP server in use, but now its rarely used. Linux distribution adopted two different ftp daemons:
One advantage of wu-ftpd is very rich and flexible configuration which makes it very attractive for sites that host large ftp archives.
For example, ftpaccess configuration file allows two very useful checks for DNS resolution of the coming connection IP blocking it if a reverse DNS lookup fails.
dns refuse_mismatch <filename> [ override ] dns refuse_no_reverse <filename> [ override]
One factor in wu-ftpd demise were security vulnerabilities. They were generally overblown by security jerks, but some were real. For example in 2001 the Ramen worm used WU-FTPD as one of the possible intrusion mechanisms.
WU-ftpd
The current version of WU-FTPD is 2.6.2 is dated by Released 29 Nov, 2001 and is available from ftp.wu-ftpd.org.
How-tos
Guest HOWTO
Describes the basics of setting up your FTP server for guest accounts. That is, to allow real Unix users to log in, but jail them in a chroot'd area.Lundberg's addendum to the Guest HOWTO from November, 2000
Describes how to tell you are actually using the ftpaccess file and one way of simplifying the setup of guest areas.TELNET Testing HOWTO
Describes how to use the telnet command to test your FTP server. Sometimes FTP clients can hide problems and doing away with them is the only way to see what's happening.Upload Configuration HOWTO
Describes the process and security considerations of allowing anonymous (and other) users to upload to your FTP server.
|
|
Switchboard | ||||
| Latest | |||||
| Past week | |||||
| Past month | |||||
 |
 |
 |
HP
The File Transfer Protocol (FTP) enables you to transfer files between a client host system and a remote server host system. On the client system, a file transfer program provides a user interface to FTP; on the server, the requests are handled by the FTP daemon, ftpd. WU-FTPD is the FTP daemon for HP-UX systems. It is based on the replacement FTP daemon developed at Washington University. WU-FTPD 2.6.1 is the latest version of WU-FTPD available on the HP-UX 11i v1, HP-UX 11i v2, and HP-UX 11i v3 platforms.
The FTP client with SSL support is available for download from this page for the HP-UX 11i v2 operating system. Starting from May 2010, the WU-FTPD 2.6.1 bundle that you can download from this page contains the FTP daemon with SSL support for the HP-UX 11i v3 operating system.
Table 1: Latest WU-FTPD 2.6.1 Bundle Numbers
Product Version
NumberOperating System Bundle Version
NumberRelease Date WU-FPTD 2.6.1 Bundle Versions HP Revision: 1.014a HP-UX 11i v1 B.11.11.01.014 July 2010 HP Revision: 1.001a HP-UX 11i v2b B.11.23.01.001 September 2008 HP Revision: 6.0a HP-UX 11i v3b C.2.6.1.7.0 May 2011
IPv6-enabled version of WU-FTPD 2.6.1 available.
b The TLS/SSL feature is available for the HP-UX 11i v2 and HP-UX 11i v3 operating systems.WU-FTPD 2.6.1 offers the following features:
- Virtual hosts support
- The privatepw utility
- New clauses in the /etc/ftpd/ftpaccess file
- IPv6 support
- New command-line options
- New features related to data transfer
- New configuration file, /etc/ftpd/ftpservers
- A set of virtual domain configuration files used by ftp
WU-FTPD 2.6.1 for the HP-UX 11i v2 and HP-UX 11i v3 operating systems now supports the TLS/SSL feature. For more information on the TLS/SSL feature, see WU-FTPD 2.6.1 Release Notes on the HP Business Support Center.
IMPORTANT: The WU-FTPD 2.6.1 depot that you can download from this page is the TLS/SSL-enabled version of FTP. The core (default) HP-UX 11i v2 operating system still contains the non-TLS/SSL version of FTP. For patch updates to WU-FTPD 2.6.1 in the core HP-UX 11i v2 operating system, see http://itrc.hp.com
Compatibility Information
For HP-UX 11i v1 customers, WU-FTPD 2.6.1 adds new functionality to the already existing WU-FTPD 2.4 software, which is delivered as part of the core networking products on HP-UX 11i v1. For HP-UX 11.0, this version allows customers to upgrade to WU-FTPD 2.6.1 from either the legacy FTP version, which is delivered with the core networking products on HP-UX 11.0, or from WU-FTPD 2.4, which is available in the patch PHNE_21936.
Documentation
The following product documentation is available with WU-FTPD 2.6.1.Man Pages
The following man pages are distributed with the WU-FTPD 2.6.1 depot:
- ftp.1
- ftpd.1m
- ckconfig.1
- ftprestart.1
- ftpwho.1
- ftpcount.1
- ftpshut.1
- privatepw.1
- ftpaccess.4
- ftpgroups.4
- ftpservers.4
- ftpconversions.4
- ftpusers.4
- ftphosts.4
- xferlog.5
|
|
|
2003-07-31 | WU-FTPD Development Group
A vulnerability has been found in the current versions of WU-FTPD up to 2.6.2. Information describing the vulnerability is available from
Please apply the realpath.patch patch to WU-FTPD 2.6.2.
- Ciac bulletin n-132
- CVE can-2003-0466
- Redhat errata RHSA-2003-245 with updated packages
- isec.pl
This fixes an off-by-one error in the fb_realpath() function, as derived from the realpath function in BSD. It may allow attackers to execute arbitrary code, as demonstrated in wu-ftpd 2.5.0 through 2.6.2 via commands that cause pathnames of length MAXPATHLEN+1 to trigger a buffer overflow, including (1) STOR, (2) RETR, (3) APPE, (4) DELE, (5) MKD, (6) RMD, (7) STOU, or (8) RNTO.
Additionally, applying the connect-dos.patch is advised for all systems.
This patch fixes a possible denial of service attack on systems that allow only one non-connected socket bound to the same local address.
Additionally, applying the skeychallenge.patch is advised strongly for systems using S/Key logins.
This patch fixes a stack overflow in the S/Key login handling.
|
|
|
Requirements: wu-ftpd 2.6.0
/etc/ftpaccess
First, you need to add an additional class for users that are allowed to do FXP (unless you just want to use the predefined class "all"). If you add a new class, this line MUST be before the catch-all class "all", or the client will match class "all" first.
The line is of the form:
class {ArbitraryClassName} {AccessTypes} {HostAddrs} [HostAddrs]Then you add lines to allow PASV and PORT commands to hosts whose IPs don't match the client (to allow FXP)
These lines are of the form:
port-allow {ArbitraryClassName} {HostAddrs}
pasv-allow {ArbitraryClassName} {HostAddrs}
Example
class newclass real,guest,anonymous *.mydomain.net
*.more.client.addresses.com
class all real,guest,anonymous *port-allow newclass 0.0.0.0/0
pasv-allow newclass 0.0.0.0/0This basically adds a new class (creatively called "newclass") - note that it appears BEFORE the line containing the class "all" - this new class contains all hosts in the subdomains mydomain.net and more.client.addresses.com (domains obviously made up by yours truly), in order to limit who we will allow to do FXP. The port-allow and pasv-allow lines basically allow FXP connections to anywhere if your client is in the class "newclass".
|
|
|
Jan 14, 2001 | Linux Today
WireX discovered a temporary file creation bug in the 2.6.1 release of wu-ftpd. The problem exists in the privatepw helper program. As well, Linux-Mandrake 7.2 users must update to this package as it fixes security problems as discussed in the prior advisory, MDKSA-2000:014, which had not been previously addressed for 7.2.
All of the updated packages for Linux Mandrake versions 6.0 through 7.1 and the packages for Corporate Server 1.0.1 had an incorrect dependency on the xinetd package which prevented MandrakeUpdate from installing the updates. Updated packages for these versions have been released that are no longer dependant upon xinetd.
|
|
|
|
|
|
This release fixes the recent root compromise problems discovered in version 2.6.0, and includes other fixes and improvements.
"Wuarchive-ftpd, more affectionately known as wu-ftpd, is a replacement ftp daemon for Unix systems developed at Washington University. wu-ftpd is the most popular ftp daemon on the Internet, used on many anonymous ftp sites all around the world."
Check the relevant links and changes history at AppWatch.com.
|
|
|
|
|
|
We are working on a new release that fixes this and some other problems. Some Linux vendors (redhat and debian) have already released their patches. source patch is available in the quickfixes directory for release 2.6.0.
WU-FTPD - Wikipedia, the free encyclopedia
WU-FTPD Development Group -- official site
WU-FTPD Server Software -- mirror
How-To Guide for wu-ftpd on Solaris 2.x
Securing an Anonymous FTP Server in Solaris 8 with WU-FTPD
BigAdmin Description - WU-FTPD
Frequently Asked Questions about wu-ftpd Also at Frequently Asked Questions about wu-ftpd
Securing an Anonymous FTP Server in Solaris 8 with WU-FTPD
Digest Name: Daily Security Bulletins Digest
Created: Mon Dec 13 3:00:05 PST 1999
Table of Contents:
Document ID Title
--------------- -----------
HPSBUX9912-106 Security Vulnerability in wu-ftp
The documents are listed below.
-------------------------------------------------------------------------------
Document ID: HPSBUX9912-106
Date Loaded: 19991212
Title: Security Vulnerability in wu-ftp
-------------------------------------------------------------------------
HEWLETT-PACKARD COMPANY SECURITY BULLETIN: #00106, 13 Dec. 1999
-------------------------------------------------------------------------
The information in the following Security Bulletin should be acted upon
as soon as possible. Hewlett-Packard Company will not be liable for any
consequences to any customer resulting from customer's failure to fully
implement instructions in this Security Bulletin as soon as possible.
-------------------------------------------------------------------------
PROBLEM: Multiple vulnerabilities in wu-ftp software.
PLATFORM: HP9000 series 7/800 servers running HP-UX release 11.00 only.
DAMAGE: Any user can gain root privileges.
SOLUTION: Apply the patch noted below.
AVAILABILITY: The patch is available now.
-------------------------------------------------------------------------
I.
A. Background
Starting with HP-UX release 11.00, Hewlett-Packard has made
available the ported wu-ftp code. There are buffer overruns in
the wu-ftpd plus corrections to other client functionality as
mentioned in AUSCERT AA-1999.02 Advisory, dated 19 October 1999.
See www.auscert.org.au.
HP-UX release 10.20 supports only our legacy ftp and is not affected.
Release 11.00 is, however, vulnerable and needs this patch. Our
patch addresses the vulnerabilities that have been fixed in the
2.6.0 release of wu-ftpd which has been made available by the
WU-FTPD Development Group.
B. Fixing the problem - Install patch PHNE_18377.
C. To subscribe to automatically receive future NEW HP Security
Bulletins from the HP IT Resource Center via electronic mail,
do the following:
Use your browser to get to the HP IT Resource Center page
at:
http://us-support.external.hp.com
(for US, Canada, Asia-Pacific, & Latin-America)
http://europe-support.external.hp.com (for Europe)
Under the Maintenance and Support Menu (Electronic Support Center):
click on the "more..." link. Then -
To -subscribe- to future HP Security Bulletins, or
To -review- bulletins already released
click on "Support Information Digests" near the bottom of the
page, under "Notifications".
Login with your user ID and password (or register for one).
(Remember to save the User ID assigned to you, and your password).
On the "Support Information Digest Main" page:
click on the "HP Security Bulletin Archive".
Once in the archive the third link is to our current Security
Patch Matrix. Updated daily, this matrix categorizes security
patches by platform/OS release, and by bulletin topic.
The security patch matrix is also available via anonymous ftp:
us-ffs.external.hp.com
~ftp/export/patches/hp-ux_patch_matrix
D. To report new security vulnerabilities, send email to
[email protected]
Please encrypt any exploit information using the security-alert
PGP key, available from your local key server, or by sending a
message with a -subject- (not body) of 'get key' (no quotes) to
[email protected].
Permission is granted for copying and circulating this Bulletin to
Hewlett-Packard (HP) customers (or the Internet community) for the
purpose of alerting them to problems, if and only if, the Bulletin
is not edited or changed in any way, is attributed to HP, and
provided such reproduction and/or distribution is performed for
non-commercial purposes.
Any other use of this information is prohibited. HP is not liable
for any misuse of this information by any third party.
Society
Groupthink : Two Party System as Polyarchy : Corruption of Regulators : Bureaucracies : Understanding Micromanagers and Control Freaks : Toxic Managers : Harvard Mafia : Diplomatic Communication : Surviving a Bad Performance Review : Insufficient Retirement Funds as Immanent Problem of Neoliberal Regime : PseudoScience : Who Rules America : Neoliberalism : The Iron Law of Oligarchy : Libertarian Philosophy
Quotes
War and Peace : Skeptical Finance : John Kenneth Galbraith :Talleyrand : Oscar Wilde : Otto Von Bismarck : Keynes : George Carlin : Skeptics : Propaganda : SE quotes : Language Design and Programming Quotes : Random IT-related quotes : Somerset Maugham : Marcus Aurelius : Kurt Vonnegut : Eric Hoffer : Winston Churchill : Napoleon Bonaparte : Ambrose Bierce : Bernard Shaw : Mark Twain Quotes
Bulletin:
Vol 25, No.12 (December, 2013) Rational Fools vs. Efficient Crooks The efficient markets hypothesis : Political Skeptic Bulletin, 2013 : Unemployment Bulletin, 2010 : Vol 23, No.10 (October, 2011) An observation about corporate security departments : Slightly Skeptical Euromaydan Chronicles, June 2014 : Greenspan legacy bulletin, 2008 : Vol 25, No.10 (October, 2013) Cryptolocker Trojan (Win32/Crilock.A) : Vol 25, No.08 (August, 2013) Cloud providers as intelligence collection hubs : Financial Humor Bulletin, 2010 : Inequality Bulletin, 2009 : Financial Humor Bulletin, 2008 : Copyleft Problems Bulletin, 2004 : Financial Humor Bulletin, 2011 : Energy Bulletin, 2010 : Malware Protection Bulletin, 2010 : Vol 26, No.1 (January, 2013) Object-Oriented Cult : Political Skeptic Bulletin, 2011 : Vol 23, No.11 (November, 2011) Softpanorama classification of sysadmin horror stories : Vol 25, No.05 (May, 2013) Corporate bullshit as a communication method : Vol 25, No.06 (June, 2013) A Note on the Relationship of Brooks Law and Conway Law
History:
Fifty glorious years (1950-2000): the triumph of the US computer engineering : Donald Knuth : TAoCP and its Influence of Computer Science : Richard Stallman : Linus Torvalds : Larry Wall : John K. Ousterhout : CTSS : Multix OS Unix History : Unix shell history : VI editor : History of pipes concept : Solaris : MS DOS : Programming Languages History : PL/1 : Simula 67 : C : History of GCC development : Scripting Languages : Perl history : OS History : Mail : DNS : SSH : CPU Instruction Sets : SPARC systems 1987-2006 : Norton Commander : Norton Utilities : Norton Ghost : Frontpage history : Malware Defense History : GNU Screen : OSS early history
Classic books:
The Peter Principle : Parkinson Law : 1984 : The Mythical Man-Month : How to Solve It by George Polya : The Art of Computer Programming : The Elements of Programming Style : The Unix Hater’s Handbook : The Jargon file : The True Believer : Programming Pearls : The Good Soldier Svejk : The Power Elite
Most popular humor pages:
Manifest of the Softpanorama IT Slacker Society : Ten Commandments of the IT Slackers Society : Computer Humor Collection : BSD Logo Story : The Cuckoo's Egg : IT Slang : C++ Humor : ARE YOU A BBS ADDICT? : The Perl Purity Test : Object oriented programmers of all nations : Financial Humor : Financial Humor Bulletin, 2008 : Financial Humor Bulletin, 2010 : The Most Comprehensive Collection of Editor-related Humor : Programming Language Humor : Goldman Sachs related humor : Greenspan humor : C Humor : Scripting Humor : Real Programmers Humor : Web Humor : GPL-related Humor : OFM Humor : Politically Incorrect Humor : IDS Humor : "Linux Sucks" Humor : Russian Musical Humor : Best Russian Programmer Humor : Microsoft plans to buy Catholic Church : Richard Stallman Related Humor : Admin Humor : Perl-related Humor : Linus Torvalds Related humor : PseudoScience Related Humor : Networking Humor : Shell Humor : Financial Humor Bulletin, 2011 : Financial Humor Bulletin, 2012 : Financial Humor Bulletin, 2013 : Java Humor : Software Engineering Humor : Sun Solaris Related Humor : Education Humor : IBM Humor : Assembler-related Humor : VIM Humor : Computer Viruses Humor : Bright tomorrow is rescheduled to a day after tomorrow : Classic Computer Humor
The Last but not Least Technology is dominated by two types of people: those who understand what they do not manage and those who manage what they do not understand ~Archibald Putt. Ph.D
Copyright © 1996-2021 by Softpanorama Society. www.softpanorama.org was initially created as a service to the (now defunct) UN Sustainable Development Networking Programme (SDNP) without any remuneration. This document is an industrial compilation designed and created exclusively for educational use and is distributed under the Softpanorama Content License. Original materials copyright belong to respective owners. Quotes are made for educational purposes only in compliance with the fair use doctrine.
FAIR USE NOTICE This site contains copyrighted material the use of which has not always been specifically authorized by the copyright owner. We are making such material available to advance understanding of computer science, IT technology, economic, scientific, and social issues. We believe this constitutes a 'fair use' of any such copyrighted material as provided by section 107 of the US Copyright Law according to which such material can be distributed without profit exclusively for research and educational purposes.
This is a Spartan WHYFF (We Help You For Free) site written by people for whom English is not a native language. Grammar and spelling errors should be expected. The site contain some broken links as it develops like a living tree...
|
|
You can use PayPal to to buy a cup of coffee for authors of this site |
Disclaimer:
The statements, views and opinions presented on this web page are those of the author (or referenced source) and are not endorsed by, nor do they necessarily reflect, the opinions of the Softpanorama society. We do not warrant the correctness of the information provided or its fitness for any purpose. The site uses AdSense so you need to be aware of Google privacy policy. You you do not want to be tracked by Google please disable Javascript for this site. This site is perfectly usable without Javascript.
Last modified: March 12, 2019
