FTP PROBLEM

[luizpedrini]

I´m using the FTP on the uTasker v 1.4 and having some trouble.

I have enabled ACTIVE_FTP_LOGIN, for use the ftp only with authentication and changed the default user and password.

This works fine on IE, but on DOS ftp I was able to login with any USERNAME / PASS.

On Firefox, i was able to access with a blank password on the second try.

My configuration:

config.h

//#define ANONYMOUS_LOGIN                                      
#define FILE_NAMES_PER_FTP_FRAME    6                      
#define FTP_SOCKETS 2                                  
#define FTP_SUPPORTS_NAME_DISPLAY            
#define FTP_SUPPORTS_DELETE                      
#define FTP_SUPPORTS_DOWNLOAD                  
#define FTP_VERIFY_DATA_PORT                      
#define FTP_PASV_SUPPORT                            
#define DATA_PORT_TRIGGERS_CONTROL          
#define FTP_USER_LOGIN
#define FTP_WILDCARD_DEL                            
#define FTP_DATA_WINDOWS            2            
#ifdef INTERNAL_USER_FILES
#define FTP_DISPLAY_USER_FILES                
#define MAX_FILE_NAME_LENGTH    20          

I´m using CW 7.0.

Where is my mistake?

Thanks

[mark]

Hi

I don't think that you are making a mistake, but instead have found a loop hole.

Originally this was tested mainly with IE6.0 but for the last year or more more use is made of DOS due to the problems with newer IE versions (IE6.0 was very handy with its FTP drag-and-drop functionality...).

The problem is that the checking routine is letting zero length inputs through (which IE never sends).

To improve this you can make the following change:
- In fnCheckPass() in webutils.c
- just before the following check

    if ((ucCnt < 8 ) && (*ucNewInput != '&')) {                          // if we quit because the end of the reference has been found, we check that also the new input has exactly the same length
        return 1;                                                        // bad password!!
    }

add a further check

    if (ucCnt == 0) {
        return 1;                                                        // empty input entered so refuse
    }

This will stop access with anything other than correctly matching user name and password.

There is however a small difficulty with DOS FTP. When the password is refused it used to cause the other clients to close the connection but this is not the case with DOS FTP; it doesn't close the connection automatically so it is necessary to wait for a timeout when it happens. This may be a bit annoying if it is due to a mistake so I have quickly tested the following too:
1) In ftp.c set ucFTP_state = FTP_STATE_PREPARE_CLOSE; instead of ucFTP_state = FTP_STATE_CONNECTED; when the log in fails (just after the line if (cPasswordAccess != 0) { )

2). In fnFTPLister() add the following code to the TCP_EVENT_ACK case:

    case TCP_EVENT_ACK:
        ucLastControl = MSG_DO_NOTHING;
        if (ucFTP_action != DO_LIST) {
#if defined FTP_USER_LOGIN
            if (FTP_STATE_PREPARE_CLOSE == ucFTP_state) {
                fnTCP_close(Socket);
                ucFTP_state = FTP_STATE_CONNECTED;
                return APP_REQUEST_CLOSE;
            }
#endif
            fnSendFTP(fnGetQueue());                                     // if there are queued command, send next one
        }
        break;

This doesn't actually close the DOS connection since DOS FTP will not complete the close, but it does make it graceful since DOS FTP then gives up when the user tries entering anything else. Give it a try and see whether it then makes for a practical solution for your requirements.

Regards

Mark

[luizpedrini]

Hi Mark,

Once again I think have found some incorrect behavior on the FTP authentication.

The fnCheckPass() is parsing the user/pass and accepting substrings of the correct string. If the string is shorter then the reference, but have the same initial characters sequence  then will be parsed as valid.

I mean, if the correct password is foobar, an user can access using foo.

The same happens with the username.

[mark]

Hi

Yes, you are again correct.

I suggest the following improvement to the routine:

// This checks clear text passwords using & as terminator for the input and & or null terminator for reference
//
extern int fnCheckPass(CHAR *cReference, CHAR *ucNewInput)
{
    while ((*cReference != '&') && (*cReference != 0) && (*ucNewInput != '&')) { // {10}{12}
        if (*cReference++ != *ucNewInput++) {
            return 1;                                                    // bad password!!
        }
    }   
    if (((*cReference != '&') && (*cReference != 0)) || (*ucNewInput != '&')) { // {12}
        return 1;                                                        // bad password!!
    }
    return 0;                                                            // password is OK
}

This assumes a reference which is terminated by either a null terminator (normal string) or by '&'. The entered user's name or password is always terminated by '&', which comes from the coding used to transmit it over the connection (FTP or HTTP). This requires an exact match in the content and also the length. It also removes the original restriction of 8 characters in the inputs, meaning that longer references can be used.

My tests with this were successful. If you can confirm that you find no issues I will include this improvement in the next version.

Regards

Mark

[luizpedrini]

Hi Mark,

I´ve done tests and all works correct now!

Thanks for the quick response!

Best Regards.