FlashFXP Forums - View Single Post

_panic_ · 11-08-2005, 11:13 PM

this is my sixth weekly status report.

i must admit to being fairly frightened releasing a new version of ioFTPD last week. i didn't really know how much the source code i have deviated from the 5.8.5r release. i was prepared for massive numbers of reported problems over all areas of the codebase.

the reality turned out much better than that, and it appears most users are able to use 5.8.6r without problems. doing the release did get additional bug reports to me, which i will summarize below:

"site who" now crashes the server, instead of being unimplemented like it used to be.
in some cases (all cases?) an empty php.ini file should be included.
the !uptime command is not working like it used to.
the ioftpd icon reverted to the default command-line icon.

i think i got everything, but if i missed an issue that specifically came up with the 5.8.6r release, let me know.

one major issue that has come up is that the 5.8.6r release seems to be incompatibly with any compiled module. these are not the normal tcl scripts, but the dll files specified in the [Modules] section of ioftpd.ini. it could be that sharedb is the only actual program using this interface.

documenting this interface is high on my priority list, so it looks like i'll both get that stuff done as well as provide support to those of you working on modules using this interface.

also this week, a security issue was published concerning ioftpd. you can read about the issue at this site. basically ioftpd uses different error messages for an unknown user and an unknown password. you can exploit this to determine whether a username is a valid account on the server. modern server design calls for this information to be hidden.

i actually noticed this issue writing some regression tests for ioftpd. i consider the behaviour poor form regardless of the security implications, expect a fix for this in the next release.

please direct all comments to the comment thread.

11-08-2005, 11:13 PM
_panic_ Senior Member Join Date: Jul 2005 Posts: 153	wk5 development status this is my sixth weekly status report. i must admit to being fairly frightened releasing a new version of ioFTPD last week. i didn't really know how much the source code i have deviated from the 5.8.5r release. i was prepared for massive numbers of reported problems over all areas of the codebase. the reality turned out much better than that, and it appears most users are able to use 5.8.6r without problems. doing the release did get additional bug reports to me, which i will summarize below: "site who" now crashes the server, instead of being unimplemented like it used to be. in some cases (all cases?) an empty php.ini file should be included. the !uptime command is not working like it used to. the ioftpd icon reverted to the default command-line icon. i think i got everything, but if i missed an issue that specifically came up with the 5.8.6r release, let me know. one major issue that has come up is that the 5.8.6r release seems to be incompatibly with any compiled module. these are not the normal tcl scripts, but the dll files specified in the [Modules] section of ioftpd.ini. it could be that sharedb is the only actual program using this interface. documenting this interface is high on my priority list, so it looks like i'll both get that stuff done as well as provide support to those of you working on modules using this interface. also this week, a security issue was published concerning ioftpd. you can read about the issue at this site. basically ioftpd uses different error messages for an unknown user and an unknown password. you can exploit this to determine whether a username is a valid account on the server. modern server design calls for this information to be hidden. i actually noticed this issue writing some regression tests for ioftpd. i consider the behaviour poor form regardless of the security implications, expect a fix for this in the next release. please direct all comments to the comment thread.