Security update in FileZilla Server 0.9.6

FileZilla is a fast FTP and SFTP client for Windows with a lot of features. FileZilla Server is a reliable FTP server. FileZilla Server 0.9.6 fixes two problems which could be used as denial of service attacks against FileZilla Server. The first problem involves reserved MSDOS device names like CON, NUL, COM1, LPT1 and such. Under some Windows versions, FileZilla Server could freeze if the user issued a command to access a file containing a reserved name. The problem seems to only occur on Windows 2000 or older.

The second problem was caused by an infinite loop in the transfer logic. It could only happen if a file or directory listing was downloaded with enabled MODE Z. Certain files did trigger this problem with a high probability allowing a denial of service attack.

Here's the full changelog:

New features:
- SSL/TLS encryption. This feature is still experimental, use at your own risk.

Fixed bugs:
- Infinite loop on file uploads or directory listings if using zlib compression
- Sending commands with filenames as arguments which did contain reserved MSDOS device names (such as NUL, CON, COM1, LPT1) could freeze FileZilla Server on older systems. Those filenames are now considered invalid
- Fixed crash if taking server offline
- Connection limits for users did not work as intended
- The /reload-config command line switch has been fixed

This latest release can be found here:

https://sourceforge.net/project/showfiles.php?group_id=21558&package_id=15149

Posted by Tim Kosse 2005-03-21