mailing list archives
Re: SurgeFTP vulnerabilities
From: Alun Jones <alun () texis com>
Date: Mon, 25 Jun 2001 09:42:34 -0500
At 03:08 AM 6/19/2001, you wrote:
2.) FTP allows anybody to DOS the machine with a well known con/con attack.
2.) Connect to the server with anonymous and type cd con/con (yes, this is
well know and works with MANY other too, but we think it should be
While filtering such a command line may be a worthy suggestion, and is
certainly implemented in our own software, it is far from a perfect (or
even appropriate) solution.
CON/CON is easy to avoid - you just filter on CON/CON. But then you also
have to consider _every_ other DOS device name (MS calls them DDNs, in KB
articles that reference them) that is, or could be, on your
system. CLOCK$, for instance, can be used instead of CON, as can AUX, PRN,
LPT1-9, etc, etc. Okay, you say, so you filter the standard DDNs
out. Then you have to worry about non-standard, but possibly popular DDNs.
There is no system call (that I could find after several days of searching)
that will enumerate the available DDNs, and there appears to be no interest
in generating a patch that will prevent this DDN\DDN blue-screen
error. The only option available to developers is to filter on as many
known DDNs as possible, and allow the user to extend that filter as and
when necessary. This, of course, requires a substantially educated user,
which is almost always the weakest possible means of securing a system.
Texas Imperial Software | Try WFTPD, the Windows FTP Server. Find us at
1602 Harvest Moon Place | http://www.wftpd.com or email alun () texis com
Cedar Park TX 78613-1419 | VISA/MC accepted. NT-based sites, be sure to
Fax/Voice +1(512)378-3246 | read details of WFTPD Pro for NT.