================================================================================
                                 Delphis Consulting Plc
================================================================================

                               Security Team Advisories
                                       [31/05/2000]

      
                             securityteam@delphisplc.com
                  [https://www.delphisplc.com/thinking/whitepapers/]
        
================================================================================
Adv     :       DST2K0009
Title   :       Userlisting Bug in Ipswitch WS_FTP Server 1.05E
Author  :       DCIST (securityteam@delphisplc.com)
O/S     :       Microsoft Windows NT v4.0 Server (SP5)
Product :       Ipswitch WS_FTP Server 1.05E
Date    :       31/05/2000

I.    Description

II.   Solution

III.  Disclaimer


================================================================================


I. Description
================================================================================

Severity: Low

An attacker using the "USER" command with a very long name, approximately 1000
characters, can confuse the Server Manager in certain circumstances.

If the site administrator connects remotely using the Server Manager, and then
views the Session Manager before expanding the tree, Server Manager cannot
properly administer the site during that connection. Invalid objects, or no 
objects will appear in the tree, and the Session Manager may not display
all users currently logged in.

If the site administrator opens the tree before viewing the Session Manager, only
the Session Manager data will be incorrect. Typically this manifests itself as an
inability to show all users currently connected to the site being administered.

Attempting to refresh the Session Manager whilst it is in this confused state 
leads to the Session Manager not displaying any users on the site being administered.

Note that all detail still appears correctly logged in WS_FTP's log files.



II. Solution
================================================================================

Vendor Status: Informed

Currently there is no vendor patch available but the following is a working around
Delphis Consulting Internet Security Team would for users running this service.

The workaround is to kill the invalid username the FIRST time Session Manager is invoked. 
Disconnecting and reconnecting to the remote site should then allow normal administration. It
is possible that this procedure would need to be followed several times for each invalid username.


III. Disclaimer
================================================================================
THE INFORMATION CONTAINED IN THIS ADVISORY IS BELIEVED TO BE ACCURATE AT
THE TIME OF PRINTING, BUT NO REPRESENTATION OR WARRANTY IS GIVEN, EXPRESS OR
IMPLIED, AS TO ITS ACCURACY OR COMPLETENESS.  NEITHER THE AUTHOR NOR THE
PUBLISHER ACCEPTS ANY LIABILITY WHATSOEVER FOR ANY DIRECT, INDIRECT OR
CONSEQUENTIAL LOSS OR DAMAGE ARISING IN ANY WAY FROM ANY USE OF, OR RELIANCE
PLACED ON, THIS INFORMATION FOR ANY PURPOSE.
================================================================================