Synchronet now requires the libarchive development package (e.g. libarchive-dev on Debian-based Linux distros, libarchive.org for more info) to build successfully.

Disable FTP Bounce (FXP) support by default

The Synchronet FTP server has (since 2001) disallowed PORT/EPRT/LPRT commands with a "reserved" port number (i.e. < 1024) as recommended by RFC2577 and when attempted, would log a "SUSPECTED FTP BOUNCE HACK ATTEMPT" in the data/hack.log file.

However, as Karloch (HISPAMSX) pointed out recently, an FTP Bounce Attack to other TCP ports was still possible (and detected/reported by some security scans as a potential vulnerability).

So, reject all PORT/EPRT/LPRT commands that specify an IP address other than that used for the control TCP connection unless the sysop specifically enables the new "ALLOW_BOUNCE" option flag (in the [ftp] section of sbbs.ini) and the user is an authenticated non-guest/anonymous user. And as before, log the attempt as a suspected hack attempt.

This change also removes the "Directory File Access" checkbox from the Synchronet Control Panel for Windows as that feature is "going away" soon (or at least, it won't be an FTP-specific option/feature if it remains).
14 jobs for master in 11 minutes and 27 seconds (queued for 12 seconds)
Status Job ID Name Coverage
  Build
passed #11385
FreeBSD
jsdoor-freebsd

00:05:18

passed #11386
Linux
jsdoor-linux

00:06:57

passed #11388
FreeBSD
jsdoor-windows

00:03:43

passed #11380
FreeBSD
sbbs-freebsd

00:06:26

passed #11375
Linux
sbbs-linux

00:09:44

passed #11378
Windows
sbbs-windows

00:05:37

passed #11387
FreeBSD
sexpots-freebsd

00:00:15

passed #11376
Linux
sexpots-linux

00:00:15

passed #11379
Windows
sexpots-windows

00:00:31

passed #11383
FreeBSD
syncdraw-freebsd

00:00:23

passed #11384
Linux
syncdraw-linux

00:01:43

passed #11381
FreeBSD
syncterm-freebsd

00:01:14

passed #11377
Linux
syncterm-linux

00:03:37

passed #11382
FreeBSD
syncterm-windows

00:02:29