Skip to content
Snippets Groups Projects
Select Git revision
  • master default protected
  • dailybuild_linux-x64
  • dailybuild_win32
  • dailybuild_macos-armv8
  • dd_file_lister_filanem_in_desc_color
  • mode7
  • dd_msg_reader_are_you_there_warning_improvement
  • c23-playing
  • syncterm-1.3
  • syncterm-1.2
  • test-build
  • hide_remote_connection_with_telgate
  • 638-can-t-control-c-during-a-file-search
  • add_body_to_pager_email
  • mingw32-build
  • cryptlib-3.4.7
  • ree/mastermind
  • new_user_dat
  • v320a_dev
  • new_config_format
  • sbbs320d
  • syncterm-1.6
  • syncterm-1.5
  • syncterm-1.4
  • sbbs320b
  • syncterm-1.3
  • syncterm-1.2
  • syncterm-1.2rc6
  • syncterm-1.2rc5
  • push
  • syncterm-1.2rc4
  • syncterm-1.2rc2
  • syncterm-1.2rc1
  • sbbs319b
  • sbbs318b
  • goodbuild_linux-x64_Sep-01-2020
  • goodbuild_win32_Sep-01-2020
  • goodbuild_linux-x64_Aug-31-2020
  • goodbuild_win32_Aug-31-2020
  • goodbuild_win32_Aug-30-2020
40 results
Compare
Rob Swindell's avatar
Disable FTP Bounce (FXP) support by default
Rob Swindell authored 
The Synchronet FTP server has (since 2001) disallowed PORT/EPRT/LPRT commands with a "reserved" port number (i.e. < 1024) as recommended by RFC2577 and when attempted, would log a "SUSPECTED FTP BOUNCE HACK ATTEMPT" in the data/hack.log file.

However, as Karloch (HISPAMSX) pointed out recently, an FTP Bounce Attack to other TCP ports was still possible (and detected/reported by some security scans as a potential vulnerability).

So, reject all PORT/EPRT/LPRT commands that specify an IP address other than that used for the control TCP connection unless the sysop specifically enables the new "ALLOW_BOUNCE" option flag (in the [ftp] section of sbbs.ini) and the user is an authenticated non-guest/anonymous user. And as before, log the attempt as a suspected hack attempt.

This change also removes the "Directory File Access" checkbox from the Synchronet Control Panel for Windows as that feature is "going away" soon (or at least, it won't be an FTP-specific option/feature if it remains).
f803b7bc
History
Rob Swindell's avatar f803b7bc
History
Name Last commit Last update
3rdp
ctrl
docs
exec
install
node1
src
text
web
webv4
xtrn
.gitattributes
.gitignore
.gitlab-ci.yml
CONTRIBUTING.md
LICENSE
README.md
README.md

Synchronet Project

BBS-Related Software Source Repository

Directories within:

  • 3rdp - Third-party libraries
  • ctrl - Synchronet BBS configuration and run-time data files
  • docs - Synchronet BBS documentation (mostly legacy HTML)
  • exec - Synchronet BBS executable files (mostly JavaScript)
  • install - Synchronet BBS installation files
  • node1 - Synchronet BBS Terminal Server "node" configuration files
  • src - Source code (mostly C/C++)
  • text - Synchronet BBS text and menu files
  • web - Synchronet Legacy/Runemaster web UI
  • webv4 - echicken's web interface (v4) for Synchronet
  • xtrn - Synchronet BBS doors (mostly JavaScript)

Related web-sites:
Synchronet BBS Software
Synchronet Wiki
Synchronet Source Repository