Security update in FileZilla Server 0.9.6

FileZilla is a fast FTP and SFTP client for Windows with a lot of features. FileZilla Server is a reliable FTP server. FileZilla Server 0.9.6 fixes two problems which could be used as denial of service attacks against FileZilla Server. The first problem involves reserved MSDOS device names like CON, NUL, COM1, LPT1 and such. Under some Windows versions, FileZilla Server could freeze if the user issued a command to access a file containing a reserved name. The problem seems to only occur on Windows 2000 or older.

The second problem was caused by an infinite loop in the transfer logic. It could only happen if a file or directory listing was downloaded with enabled MODE Z. Certain files did trigger this problem with a high probability allowing a denial of service attack.

Here's the full changelog:

New features:
- SSL/TLS encryption. This feature is still experimental, use at your own risk.

Fixed bugs:
- Infinite loop on file uploads or directory listings if using zlib compression
- Sending commands with filenames as arguments which did contain reserved MSDOS device names (such as NUL, CON, COM1, LPT1) could freeze FileZilla Server on older systems. Those filenames are now considered invalid
- Fixed crash if taking server offline
- Connection limits for users did not work as intended
- The /reload-config command line switch has been fixed

This latest release can be found here:

Posted by Tim Kosse 2005-03-21
  • RockFox

    I was trying to FTP PUT CON.PASCAL.txt to a Windows 7 Pro running the FileZilla server. I was baffled because I kept getting a "550 invalid filename" message. I finally narrowed it down to where I was sure that "CON" was the problem and then a search brought me to this page. This blog entry explained the problem. I changed the filename to CON_PASCAL.txt and all is well.