Softpedia >Windows >Internet >Servers >FTP Servers >WS_FTP Server >  Changelog

WS_FTP Server Changelog

What's new in WS_FTP Server 7.6.3

Nov 5, 2014
  • Security Update:
  • Release 7.6.3 includes all prior upgrades that addressed the Hearbleed vulnerability, and includes OpenSSL version 1.0.1h.
  • New in 7.6.3:
  • Version 7.6.3 includes the option to delete old files and/or empty sub-folders after a specified number of days. You can configure cleanup settings at the folder level or at the host level. By default, folders will inherit the host-level default values unless they are overridden at the folder level. Host-level settings also apply to virtual folders and their descendants, but only if the virtual folder points to a location outside of the host's top folder, to avoid having multiple cleanup profiles affect a single folder.
  • This release also includes the option to expire user accounts a specified number of days after user account creation or last logon. At the host level you can also delete expired user accounts after they have been expired a specified number of days. These settings only take effect when the host's authentication database type is WSFTP.
  • A new service, "Ipswitch Scheduler," is installed and runs at 1:00 am every night. This service cleans up old files and sub-folders, as well as expired users. The cleanup process will never delete virtual folders themselves, only physical folders.
  • When using a command line to create a user, administrators can now use the -o homefolder argument to set a user's home folder.
  • The following issues were addressed in V7.6.3:
  • LDAP login fails. Blank BindRequest sent during connection
  • Added a new LDAP configuration option "Force Simple Binding" that when enabled, will default back to the simple binding method used in pre-7.6 versions of WSFTP Server.
  • User can get to Change Password page without providing correct password
  • If the administrator had set Force Change Password on an account and that user then attempted to log in, that user did not have to provide the correct password for the change password dialog to appear. Fixed this so that now the user must provide the correct current password before being allowed to change the password.
  • STAT command is case-sensitive
  • Difficulties were experienced when downloading files from WS_FTP Server using Coldfusion, or OpenSSH command line clients and SFTP. The openSSH and ColdFusion clients issued a STAT command before attempting to download the file, and if the STAT command failed, they never attempted to read the file. In WS_FTP Server, the STAT command failed if the filename was not issued with the exact filename (matching case). There was a case-sensitive comparison of the filename when the STAT command was issued. Fixed this issue.
  • Unsecure Cookies Parameter on Web Application
  • Vulnerability allowed an attacker to commit theft over cookies that do not using a secure parameter (in https). During the sniffing process, the attacker can see the current value of the cookies to be used for login. For WTM and AHT, all cookies now use the "HttpOnly" flag, and if the connection is secure, they also use the "Secure" flag.
  • Notification Variable: %Status returns Failed when files are downloaded using SFTP (binary mode) on Filezilla 3.6 or WinSCP 5.1
  • There was a failure to check the proper variables when determining whether or not a whole file had been downloaded, which led to the system thinking it had not downloaded the whole file when closing the connection. Fixed this issue.
  • Blacklist Notifications do not display in GUI after upgrading from a version prior to 7.5 to version 7.6.
  • After adding a blackout notification on the server, clicking save, restarting the services and then returning to the IP Lockout Settings in the Manager, the notification did not display. In 7.5 there was a modification to have blacklist notifications all show up regardless of the host, using ID '0' in the host_rules table for this rule. However, old entries in host_rules were not updated to use ID '0' when upgrading to 7.5+, so none of these rules would show up in the UI after an upgrade, as it explicitly looks for ID '0'. Fixed this issue.
  • AHT Unable to download file if file name over 132 characters
  • A file with a file name over 132 characters could be successfully uploaded to the Ad Hoc Transfer package folder, but when that file was downloaded, the filename would be truncated in the database and the download would fail with a 'file not found' error. We were using an array limited to 128 characters in one function where the file name was passed through. That array has been updated to 512 characters (matching the database field max), which fixes the issue.
  • Unable to send email notification to more than 2 recipients (rcpt to) or if email address length exceeds 73 characters
  • After setting an email notifications in WS_FTP Server to send to multiple email recipients, only the first two email accounts received notifications; no other users received notifications. This was a known issue related to a character limit with the Send To field in a telnet style email. An encoding function was being run against the list of 'To' addresses, which was adding some unnecessary additional characters which weren't needed. The encoding function no longer adds these unnecessary characters. The recipient list can now contain up to 500 characters.
  • Linux SSH public key imports to WS_FTP Server, but will not authenticate until the SSH key is converted
  • We were including comments at the end of the public key (which are auto-generated in Linux systems) as a part of the key itself, so the fingerprints being generated were inaccurate. The fix modifies the Server to not read those comments as part of the key during the login process, so administrators do not need to re-import any keys.
  • ViewState variable is not strongly encrypted, which enables an attacker to view contents that could potentially reveal sensitive information
  • Configuration changes were made to the application to ensure that the View State data is sufficiently protected by setting the viewStateEncryptionMode to "Always."
  • Upgrade of WS_FTP Server 7.5.1.2 to 7.6 Build 444 took hours to complete (Windows Server 2008 32-bit with WS_FTP Server 7.5.1.2 upgraded to 7.6 Build 444)
  • Replaced pkgmgr.exe with servermanagercmd.exe in the core and module installers. This has improved the performance of this piece of the install by approximately a magnitude of ten.
  • Service Trusted Path Privilege exploit
  • The exploit took advantage of the unquoted service paths vulnerability outlined in CVE-2005-1185, CVE=2005-2938 and CVE-2000-1128. The vulnerability took advantage of the way Windows parsed directory paths to execute code. Fixed this issue by placing double quotes around the path to the service when providing it to whatever function creates the service. Clean installs will now install services with quoted image paths. During an upgrade or maintenance, the WS_FTP Server installer will check existing service image paths and quote them if they currently aren't quoted.
  • Change Directory (CD) commands are case-sensitive when changing into a virtual folder
  • Affected only the CD into the initial virtual folder; sub-directories under that did accept either upper or lower case CD commands. Fixed this issue by modifying the query to allow case-insensitive searches.
  • Ability to better control SSL version support in WS_FTP Server
  • Customers needed the ability to disable SSL v1 and v2 in WS_FTP Server, but leave SSL v3 and TLS enabled on the server. PCI compliance scans were failing when SSL v2 was enabled. The only option was to disable all but TLS. Fixed this issue by adding a new option to the listener encryption settings page: "Enable TLS and SSL version 3."
  • Entering a user name that beings with the letters "s," "g," or "d" in the WTM caused the password field to auto-fill with an invalid password after having logged on previously, requiring the user to clear the password field and manually enter the correct password.
  • Fixed the issue by fine-tuning the way usernames are located from within cookies.
  • Files larger than 2 GB cannot be downloaded, renamed or deleted via the WTM using Internet Explorer, and files larger than 2 GB cannot be renamed or deleted via the WTM using Firefox and Chrome but they can be downloaded. Browsers are also not reporting total file size of downloads correctly when the downloaded file size is larger than 2 GB.
  • Fixed this issue. Previously, headers returned to the client for the file download included a negative file size if the file was larger than 2 GB, which caused IE to break and other browsers to not be able to report total downloaded file size. Files larger than 2 GB can now be downloaded, renamed, and deleted in all browsers and downloaded file sizes are correct.
  • Large number of files in a user folder slows down the directory listing or results in failure to log on altogether in WTM
  • We now allow 10 times the number of files/folders.
  • Failover delayed due to slow stopping services
  • On Windows Server 2008R2, if the WS_FTP Server and SSH Server services lose access to the SQL database, they remain in a prolonged stopping state. These services should each now take around 15-20 seconds to shut down if the database is down.
  • When you have an SSL certificate larger than 2048-4096 installed in IIS and bound to the site, you receive an error when trying to install the modules. The following error is received: "There was an error serializing the security certificate. Setup will abort." Thereafter, login attempts fail. Fixed this issue to allow larger pre-existing SSL certificates.
  • Web Module installation does not use existing certificate in IIS 8 but creates a new one in Windows Server 2012. When importing a certificate via IIS and the option to import into a new "Webhosting" certificate store is selected, the following warning now displays: "Unable to use the existing certificate bound in IIS because it's located in a certificate store other than Personal. The installation will continue with a newly generated self-signed certificate." Certificate will need to be in the personal store for WS_FTP Server to not create a new one.
  • Secondary LDAP user database is not checked when primary LDAP user database is down.
  • Server does not attempt to connect to the secondary LDAP server when the primary server fails. Fixed the issue by updating the DLL file for the LDAP connection.
  • After removing machine IP from blacklist, WTM login continues to fail until IIS is reset (PENDING DAVE'S REVIEW)
  • Fixed this issue. WTM wasn’t being notified when blacklist items were removed because it didn't have a 'heartbeat' process set up that was enabled for AHT/FTP/SSH. It should now behave the same as the other interfaces. It may take a few minutes, but now users will be able to log in after their IP has been removed from the blacklist without needing an IIS reset.
  • SSH private key can be imported into an SFTP client without prompting for passphrase
  • When the WS_FTP Server generates an SSH user key it prompts for a passphrase, but when that key is imported into an SFTP client the passphrase is never requested. The OpenSSL functions were not correctly generating the PEM-formatted key with encryption. Fixed this issue by specifying 3DES encryption when writing the key file.
  • CTR ciphers are not added to all SSH listeners on upgrade (WS_FTP Server versions 7.1 to 7.6 Build 452 on 2k8G 32-bit MSSQL 2008 SP3/Internal Web Server)
  • When multiple SSH listeners were created to listen on unique IP addresses and then WS_FTP Server was upgraded, not all SSH listeners would have the new CTR ciphers added, however, the ciphers could be added manually. Fixed this issue so that upgrading does add the CTR ciphers to the other listener IPs.
  • Cannot reach syslog server with host name
  • When entering details for a syslog server you could not use the host name and had to use the IP address. Fixed this issue by adding a function call to resolve the host names.
  • Using PSFTP to move .tif files from one directory to another via SSH on the WS_FTP Server using the MV (Move) command caused intermittent system exception error within the FTP Server log files on Windows 2008 R2 64-Bit, MS SQL 2012 and PostgreSQL 8.3.20.
  • There was a race condition where the permissions object could sometimes be released before it was accessed when checking permissions for a file. This issue is now fixed.