Secure FXP major bug

The behaviour described in the bug report is either by design, or would be far too complex/time-consuming to be changed

Moderators: white, Hacker, petermad, Stefan2

Post Reply
Isica
Junior Member
Junior Member
Posts: 38
Joined: 2013-09-24, 05:07 UTC

Secure FXP major bug

Post by *Isica »

Hello,Christian.

When trying to fix the FXP security problem, a mistake was made, and FXP via FTPS stopped working on Shift + F5.
In addition, FXP sometimes does not work if the session was established with "PROT D", although this is not difficult to fix :-)

CAUSE OF PROBLEM
If server support SSCN command, Shift + F5 incorrectly initializes the second connection: data encryption (PROT P) is always enabled, even if it was disabled in the main session.

DECISION
I suggest you implement a simple, fast and secure algorithm that solves all issues with FXP.
1. Copying a file within a single server (like Shift + F5):
a) first, try using SITE COPY (this is the fastest, and sometimes the only possible way, because FXP may be denied);
b) if it's not supported - use FXP, only ALWAYS with "PROT C" (even if the session was established with "PROT D"), because it's faster, and connecting the server to itself is completely safe, and it's silly to encrypt it;
c) when FXP was fail, then use "Copy via local PC".
2. FXP between two different servers:
a) if user-defined PROT value on both servers is "C" then use "PROT C";
b) if user-defined PROT value of anyone or both server(s) is "P", then try use SSCN; if it's not supported or fail - ask the user to choose between "PROT C" or "copy via local PC" (for security reasons).
c) when FXP was fail, then fallback to "Copy via local PC".

COMMENT
In a good way, you should add the "encrypt data" checkbox to the settings form of the FTPS connection so that the user can easily select the required security level (personally, I usually use "C", and TC uses "P" by default).
Although even now users can specify "PROT C" in the "Send commands" settings, and TC seems to be trying to track this ...
Last edited by Isica on 2019-12-10, 16:13 UTC, edited 10 times in total.
User avatar
ghisler(Author)
Site Admin
Site Admin
Posts: 48021
Joined: 2003-02-04, 09:46 UTC
Location: Switzerland
Contact:

Re: Secure FXP CRITICAL bug!

Post by *ghisler(Author) »

1. FXP should work as it is now if BOTH servers signal to support it and allow plain text transfers.
2. I have never seen any server supporting SITE CPFR/CPTO. Which server supports this?
Author of Total Commander
https://www.ghisler.com
Isica
Junior Member
Junior Member
Posts: 38
Joined: 2013-09-24, 05:07 UTC

Re: Secure FXP major bug

Post by *Isica »

ghisler(Author) wrote: 2019-10-30, 17:27 UTC I have never seen any server supporting SITE CPFR/CPTO. Which server supports this?
ProFTPd

UP
I studied your algorithms in more detail, and found out that the problem only occurs with Shift + F5.
In view of this, I edited the first post, and I ask you to re-read it carefully again.
I think that the algorithm I proposed is very good and easy to implement :-)
User avatar
ghisler(Author)
Site Admin
Site Admin
Posts: 48021
Joined: 2003-02-04, 09:46 UTC
Location: Switzerland
Contact:

Re: Secure FXP major bug

Post by *ghisler(Author) »

ghisler.ch uses proftpd. However,
HELP SITE
only reports CHGRP and CHMOD as supported SITE commands. It must be either quite new or an optional command.
Author of Total Commander
https://www.ghisler.com
Isica
Junior Member
Junior Member
Posts: 38
Joined: 2013-09-24, 05:07 UTC

Re: Secure FXP major bug

Post by *Isica »

For SITE COPY commands to work, you need ProFTPd v1.3.x (but v1.3.6a or later is strongly recommended), with the mod_copy module. (I'm already gave you a ->link<- to this material twice, but you did not see it).
If available, these commands are displayed in FEAT and SITE HELP (but not in HELP SITE).

You can take a look at this live here: ftp://185.248.101.80
I can give you a login for testing.

And hike, here's another useful command for you: SITE RMDIR (it deletes a directory recursively).
User avatar
ghisler(Author)
Site Admin
Site Admin
Posts: 48021
Joined: 2003-02-04, 09:46 UTC
Location: Switzerland
Contact:

Re: Secure FXP major bug

Post by *ghisler(Author) »

I have checked it now:
1. Shift+F5 sends PROT C for clear text transmissions if the server doesn't support the SSCN command.
2. F5 between servers fails if the servers don't support the SSCN command. I will support PROT C too.
3. Shift+F5 doesn't currently have the checkboxes to copy via PC and to copy the timestamp. I will add them.
4. F5 between servers already copies the timestamp if the target server supports it.
Author of Total Commander
https://www.ghisler.com
Isica
Junior Member
Junior Member
Posts: 38
Joined: 2013-09-24, 05:07 UTC

Re: Secure FXP major bug

Post by *Isica »

ghisler(Author) wrote: 2019-11-01, 15:40 UTC I have checked it now:
1. Shift+F5 sends PROT C for clear text transmissions if the server doesn't support the SSCN command.
I'm recheck it--yes, it's true. Fovewer, when server support SSCN, but user enforce clear data connection (sets "Send Commands"="PROT C"), the TC establish second connection with PROT D, and FXP session fail.
2. F5 between servers fails if the servers don't support the SSCN command. I will support PROT C too.
Of course, but here you should remember about security, and it is better to let the user choose between PROT C and "copy via local PC" (see section 2.b in the topic header).
3. Shift+F5 doesn't currently have the checkboxes to copy via PC and to copy the timestamp. I will add them.
"Copy via PC" on Shift + F5? Yes, in especially severe cases (when FXP is not available at all), this method may come in handy.
Then I add it to my algorithm, and once again I invite you to re-read the topic header :-)

4. F5 between servers already copies the timestamp if the target server supports it.
Yes, it copies, but not always. I described this bug in detail in a separate topic: https://www.ghisler.ch/board/viewtopic.php?f=32&t=54470

REMARK
It must be understood that SSCN may not work even when it is supported by the server (for example, servers may not trust each other's certificates). In this case, you need to use other (old) algorithms, when SSCN was fail.
Last edited by Isica on 2019-11-05, 00:46 UTC, edited 1 time in total.
User avatar
ghisler(Author)
Site Admin
Site Admin
Posts: 48021
Joined: 2003-02-04, 09:46 UTC
Location: Switzerland
Contact:

Re: Secure FXP major bug

Post by *ghisler(Author) »

Fovewer, when server support SSCN, but user enforce clear data connection (sets "Send Commands"="PROT C"), the TC establish second connection
I agree, in this case I also need to use PROT C. I will add it.
Author of Total Commander
https://www.ghisler.com
Isica
Junior Member
Junior Member
Posts: 38
Joined: 2013-09-24, 05:07 UTC

Re: Secure FXP major bug

Post by *Isica »

2ghisler(Author)
Beta4 still use PROT P on Shift+F5.
User avatar
ghisler(Author)
Site Admin
Site Admin
Posts: 48021
Joined: 2003-02-04, 09:46 UTC
Location: Switzerland
Contact:

Re: Secure FXP major bug

Post by *ghisler(Author) »

Could you try with the latest beta version, please?
Author of Total Commander
https://www.ghisler.com
Isica
Junior Member
Junior Member
Posts: 38
Joined: 2013-09-24, 05:07 UTC

Re: Secure FXP major bug

Post by *Isica »

The bugs was be fixed, but there was a security leak (see clause 2.b in the topic header) and stupidity (clause 1.b).
Also, unfortunately, the fastest and sometimes the only possible method (SYTE COPY, clause 1.a) was don't implemented :(
User avatar
ghisler(Author)
Site Admin
Site Admin
Posts: 48021
Joined: 2003-02-04, 09:46 UTC
Location: Switzerland
Contact:

Re: Secure FXP major bug

Post by *ghisler(Author) »

I'm sorry but I will not implement SITE COPY as long as there are no servers supporting it out of the box. Furthermore, mod_copy seems to have vulnerabilities (CVE), so it's not advised to enable it.
Author of Total Commander
https://www.ghisler.com
Isica
Junior Member
Junior Member
Posts: 38
Joined: 2013-09-24, 05:07 UTC

Re: Secure FXP major bug

Post by *Isica »

This vulnerability, known as bug #4372, was fixed in v 1.3.6a, and the mod_copy module was already included in the box again. So it is relevant ;-)

PS
In addition, it would be very cool to use SITE RMDIR to recursively delete a directory, because it gives a huge gain in speed!

PPS
And please take a look at ->this topic<- - I think in vain you moved it.
User avatar
ghisler(Author)
Site Admin
Site Admin
Posts: 48021
Joined: 2003-02-04, 09:46 UTC
Location: Switzerland
Contact:

Re: Secure FXP major bug

Post by *ghisler(Author) »

The problem is that most Linux distributions are extremely conservative, with the included programs many years behind the current development.
Author of Total Commander
https://www.ghisler.com
Post Reply