HPE Community
Operating System - HP-UX
1833869 Members
1840 Online
110063 Solutions
New Discussion

Re: does wu-ftp version 2.6.1 from November 2007 address the RealPath vulnerability?

 
SOLVED
Go to solution
PamelaJThrasher
Regular Advisor

‎03-19-2008 06:58 AM

‎03-19-2008 06:58 AM

does wu-ftp version 2.6.1 from November 2007 address the RealPath vulnerability?

Hello
I am being asked to make sure that all my HP-UX servers have been remediated against the RealPath off-by-one buffer over flow vulnerability in wu-ftp that was identified in 2003.

According to the documentation that I found, wu-ftp version 2.6.2 this has been addressed but I cannot find that version available to download from HP.

Does anyone know if the wu-ftp version 2.6.1 from November 2007 that is available from HP addresses this issue? I have glanced through the release notes and cannot find any mention of it.

Attached is a detailed description of the vulernability that I found at the SANS institute site.

Thanks in advance!
0 Kudos
11 REPLIES 11
Steven E. Protter
Exalted Contributor

‎03-19-2008 07:44 AM

‎03-19-2008 07:44 AM

Re: does wu-ftp version 2.6.1 from November 2007 address the RealPath vulnerability?

Shalom,

It is safe to say the November 2007 release of wu-ftpd included fixes to all known vulnerabilities released in 2003.

In addition, there are several binary fixes to wu-ftpd that are available via ftp via the itrc website or by making a call to the response center.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
0 Kudos
PamelaJThrasher
Regular Advisor

‎03-19-2008 07:51 AM

‎03-19-2008 07:51 AM

Re: does wu-ftp version 2.6.1 from November 2007 address the RealPath vulnerability?

Thank you!

The HP download site for wu-ftp 2.6.1 states that it is for 11.0 and 11.11.

I also have 11.23(PA-RISC) and 11.31 (Itanium) servers. Do you know where I could get version 2.6.1 for those servers?
0 Kudos
Paul Sperry
Honored Contributor

‎03-19-2008 11:18 AM

‎03-19-2008 11:18 AM

Re: does wu-ftp version 2.6.1 from November 2007 address the RealPath vulnerability?

you can download the source code here and build it.

ftp://ftp.wu-ftpd.org/pub/wu-ftpd/


you want to get the wu-ftpd-2.6.2.tar.gz file

or wu-ftpd-2.6.1.tar.gz if ou want all of yoour systems on the save version

0 Kudos
PamelaJThrasher
Regular Advisor

‎03-20-2008 03:42 AM

‎03-20-2008 03:42 AM

Re: does wu-ftp version 2.6.1 from November 2007 address the RealPath vulnerability?

I have tried multiple times to get to the link in the above post.

I always get the following response:

Windows cannot access this folder. Make sure you type the file name correctly and that you have permission to access the folder.
Details: Operation timed out

I get that message from clicking on the link in the above response as well as going directly to the http://www.wu-ftpd.org/ site and clicking on the link that they provide there. I also get that response when trying to download from any of the mirror sites close to me.
0 Kudos
Paul Sperry
Honored Contributor

‎03-20-2008 06:12 AM

‎03-20-2008 06:12 AM

Re: does wu-ftp version 2.6.1 from November 2007 address the RealPath vulnerability?

Thats weird
the link ftp://ftp.wu-ftpd.org/pub/wu-ftpd/
and http://www.wu-ftpd.org
both work for me.
Are you behind a fire wall and do you have your proxy settings set correctly?
0 Kudos
PamelaJThrasher
Regular Advisor

‎03-20-2008 06:17 AM

‎03-20-2008 06:17 AM

Re: does wu-ftp version 2.6.1 from November 2007 address the RealPath vulnerability?

I am behind a firewall. I am able to get to the http://www.wu-ftpd.org site with no problem but none of the ftp sites seem to be working for me.

I have my HP Account Support Consultant coming on site tomorrow. He has said that he can look into this and get the download for me if it is my proxy settings.

Thanks for your help.
0 Kudos
Paul Sperry
Honored Contributor

‎03-20-2008 06:49 AM

‎03-20-2008 06:49 AM

Solution

Re: does wu-ftp version 2.6.1 from November 2007 address the RealPath vulnerability?

I am assuming your using IE
If so try this.

1. Start Internet Explorer.
2. On the Tools menu, click Internet Options.
3. Click the Advanced tab, click to clear the Enable folder view for FTP sites check box, click Apply, and then click OK.
0 Kudos
PamelaJThrasher
Regular Advisor

‎03-20-2008 06:53 AM

‎03-20-2008 06:53 AM

Re: does wu-ftp version 2.6.1 from November 2007 address the RealPath vulnerability?

I looked and that box is already checked. :-(

Thanks for trying.
0 Kudos
Paul Sperry
Honored Contributor

‎03-20-2008 06:55 AM

‎03-20-2008 06:55 AM

Re: does wu-ftp version 2.6.1 from November 2007 address the RealPath vulnerability?

You need to un-check it (clear the check mark)
0 Kudos
PamelaJThrasher
Regular Advisor

‎03-20-2008 07:36 AM

‎03-20-2008 07:36 AM

Re: does wu-ftp version 2.6.1 from November 2007 address the RealPath vulnerability?

That worked. Thank you! I have saved the 2.6.2 version.

Thanks again.
0 Kudos
PamelaJThrasher
Regular Advisor

‎03-20-2008 07:38 AM

‎03-20-2008 07:38 AM

Re: does wu-ftp version 2.6.1 from November 2007 address the RealPath vulnerability?

I have downloaded wu-ftp 2.6.2 from their site. This will definitely have the fix in place.
0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.