Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
packetstormDelphis Security TeamPACKETSTORM:22074
HistoryMay 31, 2000 - 12:00 a.m.

DST2K0009.txt

2000-05-3100:00:00
Delphis Security Team
packetstormsecurity.com
13
JSON
`================================================================================  
Delphis Consulting Plc  
================================================================================  
  
Security Team Advisories  
[31/05/2000]  
  
  
[email protected]  
[http://www.delphisplc.com/thinking/whitepapers/]  
  
================================================================================  
Adv : DST2K0009  
Title : Userlisting Bug in Ipswitch WS_FTP Server 1.05E  
Author : DCIST ([email protected])  
O/S : Microsoft Windows NT v4.0 Server (SP5)  
Product : Ipswitch WS_FTP Server 1.05E  
Date : 31/05/2000  
  
I. Description  
  
II. Solution  
  
III. Disclaimer  
  
  
================================================================================  
  
  
I. Description  
================================================================================  
  
Severity: Low  
  
An attacker using the "USER" command with a very long name, approximately 1000  
characters, can confuse the Server Manager in certain circumstances.  
  
If the site administrator connects remotely using the Server Manager, and then  
views the Session Manager before expanding the tree, Server Manager cannot  
properly administer the site during that connection. Invalid objects, or no   
objects will appear in the tree, and the Session Manager may not display  
all users currently logged in.  
  
If the site administrator opens the tree before viewing the Session Manager, only  
the Session Manager data will be incorrect. Typically this manifests itself as an  
inability to show all users currently connected to the site being administered.  
  
Attempting to refresh the Session Manager whilst it is in this confused state   
leads to the Session Manager not displaying any users on the site being administered.  
  
Note that all detail still appears correctly logged in WS_FTP's log files.  
  
  
  
II. Solution  
================================================================================  
  
Vendor Status: Informed  
  
Currently there is no vendor patch available but the following is a working around  
Delphis Consulting Internet Security Team would for users running this service.  
  
The workaround is to kill the invalid username the FIRST time Session Manager is invoked.   
Disconnecting and reconnecting to the remote site should then allow normal administration. It  
is possible that this procedure would need to be followed several times for each invalid username.  
  
  
III. Disclaimer  
================================================================================  
THE INFORMATION CONTAINED IN THIS ADVISORY IS BELIEVED TO BE ACCURATE AT  
THE TIME OF PRINTING, BUT NO REPRESENTATION OR WARRANTY IS GIVEN, EXPRESS OR  
IMPLIED, AS TO ITS ACCURACY OR COMPLETENESS. NEITHER THE AUTHOR NOR THE  
PUBLISHER ACCEPTS ANY LIABILITY WHATSOEVER FOR ANY DIRECT, INDIRECT OR  
CONSEQUENTIAL LOSS OR DAMAGE ARISING IN ANY WAY FROM ANY USE OF, OR RELIANCE  
PLACED ON, THIS INFORMATION FOR ANY PURPOSE.  
================================================================================  
  
`
JSON