Software Update: FileZilla Server 0.9.6

Filezilla Server is an open source FTP server software that supports FXP, Secure-FTP, GSS authentication, Kerberos encryption, among others. Recently, a new version has been available at Sourceforge that has been given 0.9.6 as the version number. This closes two possible security points that could potentially lead to a DoS of a FileZilla Server. The release notes look like this:

FileZilla Server 0.9.6 fixes two problems which could be used as denial of service attacks against FileZilla Server. The first problem involves reserved MSDOS device names like CON, NUL, COM1, LPT1 and such. Under some Windows versions, FileZilla Server could freeze if the user issued a command to access a file containing a reserved name. The problem seems to only occur on Windows 2000 or older.

The second problem was caused by an infinite loop in the transfer logic. It could only happen if a file or directory listing was downloaded with enabled MODE Z. Certain files did trigger this problem with a high probability allowing a denial of service attack.

New features:

  • SSL/TLS encryption. This feature is still experimental, use at your own risk.

Fixed bugs:

  • Infinite loop on file uploads or directory listings if using zlib compression
  • Sending commands with filenames as arguments which did contain reserved MSDOS device names (such as NUL, CON, COM1, LPT1) could freeze FileZilla Server on older systems. Those filenames are now considered invalid
  • Fixed crash if taking server offline
  • Connection limits for users did not work as intended
  • The /reload-config command line switch has been fixed

Version number 0.9.6
Operating systems Windows 9x, Windows NT, Windows 2000, Windows XP, Windows Server 2003
Website sourceforge
Download
file size

2.11MB

License type GPL