• src/sbbs3/ctrl/FtpCfgDlgUnit.cpp FtpCfgDlgUnit.dfm FtpCfgDlgUnit.h src

    From Rob Swindell to Git commit to main/sbbs/master on Mon Feb 15 14:13:56 2021
    https://gitlab.synchro.net/main/sbbs/-/commit/ebece39d9ede4e91a1650a84
    Modified Files:
    src/sbbs3/ctrl/FtpCfgDlgUnit.cpp FtpCfgDlgUnit.dfm FtpCfgDlgUnit.h src/sbbs3/ftpsrvr.c ftpsrvr.h
    Log Message:
    Disable FTP Bounce (FXP) support by default

    The Synchronet FTP server has (since 2001) disallowed PORT/EPRT/LPRT commands with a "reserved" port number (i.e. < 1024) as recommended by RFC2577 and when attempted, would log a "SUSPECTED FTP BOUNCE HACK ATTEMPT" in the data/hack.log file.

    However, as Karloch (HISPAMSX) pointed out recently, an FTP Bounce Attack to other TCP ports was still possible (and detected/reported by some security scans as a potential vulnerability).

    So, reject all PORT/EPRT/LPRT commands that specify an IP address other than that used for the control TCP connection unless the sysop specifically enables the new "ALLOW_BOUNCE" option flag (in the [ftp] section of sbbs.ini) and the user is an authenticated non-guest/anonymous user. And as before, log the attempt as a suspected hack attempt.

    This change also removes the "Directory File Access" checkbox from the Synchronet Control Panel for Windows as that feature is "going away" soon (or at least, it won't be an FTP-specific option/feature if it remains).
  • From Rob Swindell to Git commit to main/sbbs/master on Mon Feb 15 19:14:16 2021
    https://gitlab.synchro.net/main/sbbs/-/commit/5277b057e0b0d81bd8dc3016
    Modified Files:
    src/sbbs3/ctrl/FtpCfgDlgUnit.cpp FtpCfgDlgUnit.dfm FtpCfgDlgUnit.h src/sbbs3/ftpsrvr.c ftpsrvr.h
    Removed Files:
    src/sbbs3/sbbs.zip
    Log Message:
    Disable FTP Bounce (FXP) support by default

    The Synchronet FTP server has (since 2001) disallowed PORT/EPRT/LPRT commands with a "reserved" port number (i.e. < 1024) as recommended by RFC2577 and when attempted, would log a "SUSPECTED FTP BOUNCE HACK ATTEMPT" in the data/hack.log file.

    However, as Karloch (HISPAMSX) pointed out recently, an FTP Bounce Attack to other TCP ports was still possible (and detected/reported by some security scans as a potential vulnerability).

    So, reject all PORT/EPRT/LPRT commands that specify an IP address other than that used for the control TCP connection unless the sysop specifically enables the new "ALLOW_BOUNCE" option flag (in the [ftp] section of sbbs.ini) and the user is an authenticated non-guest/anonymous user. And as before, log the attempt as a suspected hack attempt.

    This change also removes the "Directory File Access" checkbox from the Synchronet Control Panel for Windows as that feature is "going away" soon (or at least, it won't be an FTP-specific option/feature if it remains).
  • From Rob Swindell to Git commit to main/sbbs/master on Mon Feb 15 19:31:37 2021
    https://gitlab.synchro.net/main/sbbs/-/commit/635fad7768f79be3dd2755f9
    Modified Files:
    src/sbbs3/ctrl/FtpCfgDlgUnit.cpp FtpCfgDlgUnit.dfm FtpCfgDlgUnit.h src/sbbs3/ftpsrvr.c ftpsrvr.h
    Log Message:
    Disable FTP Bounce (FXP) support by default

    The Synchronet FTP server has (since 2001) disallowed PORT/EPRT/LPRT commands with a "reserved" port number (i.e. < 1024) as recommended by RFC2577 and when attempted, would log a "SUSPECTED FTP BOUNCE HACK ATTEMPT" in the data/hack.log file.

    However, as Karloch (HISPAMSX) pointed out recently, an FTP Bounce Attack to other TCP ports was still possible (and detected/reported by some security scans as a potential vulnerability).

    So, reject all PORT/EPRT/LPRT commands that specify an IP address other than that used for the control TCP connection unless the sysop specifically enables the new "ALLOW_BOUNCE" option flag (in the [ftp] section of sbbs.ini) and the user is an authenticated non-guest/anonymous user. And as before, log the attempt as a suspected hack attempt.

    This change also removes the "Directory File Access" checkbox from the Synchronet Control Panel for Windows as that feature is "going away" soon (or at least, it won't be an FTP-specific option/feature if it remains).