Synchronet now requires the libarchive development package (e.g. libarchive-dev on Debian-based Linux distros, libarchive.org for more info) to build successfully.

  1. 19 Feb, 2021 5 commits
    • Rob Swindell's avatar
      Correct the parse_mail_address() argument order · e9329f6c
      Rob Swindell authored
      Issue introduced in previous commit to this file. The name arg(s) comes before the address arg(s).
      e9329f6c
    • Deucе's avatar
      2d90939b
    • Deucе's avatar
      Fix CIDs 174500 and 174471 · 59b8829a
      Deucе authored
      59b8829a
    • Rob Swindell's avatar
      Automatically route in-transit mail to points to boss nodes · 45ced2a3
      Rob Swindell authored
      If the destination point node is not a linked node (does not exist in sbbsecho.ini), but the boss node is linked, automatically route to the boss node. The log entries look like this when this happens:
      "Routing packet (%s) to boss-node %s"
      "Routing NetMail (%s) to boss-node %s"
      
      For poindexter FORTRAN (REALITY) - test results appreciated.
      
      Incremented SBBSecho version to 3.13.
      45ced2a3
    • Rob Swindell's avatar
      Recognize DNB blacklist exempted email addresses in From fields · 27079b33
      Rob Swindell authored
      Previously, any DNS blacklist-exempt email addresses (in ctrl/dnsbl_exempt.cfg) had to be used in the mail-envelope (the "MAIL FROM:" address) - that doesn't work for all senders that use re-mailers or whatever where you end-up with some *bounce* address as the envelope-sender.
      
      So now, clear the DNSBL results when the From header field is parsed and the sender was in fact an exempt sender. Note: the Subject line will still contain the SPAM tag if the subject was parsed first (came earlier in the message header). May need to address this limitation in the future if it turns out to be a problem (!).
      
      Lowercase the [smtp|smtps]spy.txt log file.
      27079b33
  2. 18 Feb, 2021 10 commits
  3. 17 Feb, 2021 5 commits
  4. 16 Feb, 2021 9 commits
  5. 15 Feb, 2021 11 commits
    • Rob Swindell's avatar
      Disable FTP Bounce (FXP) support by default · 635fad77
      Rob Swindell authored
      The Synchronet FTP server has (since 2001) disallowed PORT/EPRT/LPRT commands with a "reserved" port number (i.e. < 1024) as recommended by RFC2577 and when attempted, would log a "SUSPECTED FTP BOUNCE HACK ATTEMPT" in the data/hack.log file.
      
      However, as Karloch (HISPAMSX) pointed out recently, an FTP Bounce Attack to other TCP ports was still possible (and detected/reported by some security scans as a potential vulnerability).
      
      So, reject all PORT/EPRT/LPRT commands that specify an IP address other than that used for the control TCP connection unless the sysop specifically enables the new "ALLOW_BOUNCE" option flag (in the [ftp] section of sbbs.ini) and the user is an authenticated non-guest/anonymous user. And as before, log the attempt as a suspected hack attempt.
      
      This change also removes the "Directory File Access" checkbox from the Synchronet Control Panel for Windows as that feature is "going away" soon (or at least, it won't be an FTP-specific option/feature if it remains).
      635fad77
    • Rob Swindell's avatar
      Disable FTP Bounce (FXP) support by default · ebece39d
      Rob Swindell authored
      The Synchronet FTP server has (since 2001) disallowed PORT/EPRT/LPRT commands with a "reserved" port number (i.e. < 1024) as recommended by RFC2577 and when attempted, would log a "SUSPECTED FTP BOUNCE HACK ATTEMPT" in the data/hack.log file.
      
      However, as Karloch (HISPAMSX) pointed out recently, an FTP Bounce Attack to other TCP ports was still possible (and detected/reported by some security scans as a potential vulnerability).
      
      So, reject all PORT/EPRT/LPRT commands that specify an IP address other than that used for the control TCP connection unless the sysop specifically enables the new "ALLOW_BOUNCE" option flag (in the [ftp] section of sbbs.ini) and the user is an authenticated non-guest/anonymous user. And as before, log the attempt as a suspected hack attempt.
      
      This change also removes the "Directory File Access" checkbox from the Synchronet Control Panel for Windows as that feature is "going away" soon (or at least, it won't be an FTP-specific option/feature if it remains).
      ebece39d
    • Rob Swindell's avatar
      Address more Coverity issues · 5e7baf93
      Rob Swindell authored
      Reverted the SAFECOPY() NULL source-pointer magic "(null)" string thing as that caused a different Coverity issue. Explicitly check for NULL at the call-sites instead.
      5e7baf93
    • Rob Swindell's avatar
      Address more Coverity issues · 9344a7d8
      Rob Swindell authored
      Reverted the SAFECOPY() NULL source-pointer magic "(null)" string thing as that caused a different Coverity issue. Explicitly check for NULL at the call-sites instead.
      9344a7d8
    • Rob Swindell's avatar
      glob() paranoia · 081e05c7
      Rob Swindell authored
      Make Coverity happy.
      081e05c7
    • Rob Swindell's avatar
      glob() paranoia · 454a05f0
      Rob Swindell authored
      Make Coverity happy.
      454a05f0
    • Rob Swindell's avatar
    • Rob Swindell's avatar
    • Rob Swindell's avatar
      7299e000
    • Rob Swindell's avatar
      5771d524
    • Rob Swindell's avatar
      Address Coverity-reported issues · 68990cd8
      Rob Swindell authored
      Hopefully not introducing any bugs in the process.
      68990cd8