Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2022-27665: What's New in WS_FTP Server 2020.0.0 (8.7.0)

Reflected XSS (via AngularJS sandbox escape expressions) exists in Progress Ipswitch WS_FTP Server 8.6.0. This can lead to execution of malicious code and commands on the client due to improper handling of user-provided input. By inputting malicious payloads in the subdirectory searchbar or Add folder filename boxes, it is possible to execute client-side commands. For example, there is Client-Side Template Injection via subFolderPath to the ThinClient/WtmApiService.asmx/GetFileSubTree URI.

CVE
#sql#xss#csrf#vulnerability#web#mac#windows#microsoft#redis#js#git#java#oracle#intel#auth#ssh#postgres#chrome#firefox#sap

2020.0…0 (8.7.0) Dec 15, 2020

2020.0.1 (8.7.1) Aug 30, 2021 (updated)

2020.0.2 (8.7.2) April 22, 2022 (updated)

2020.0.3 (8.7.3) Aug 1, 2022 (updated)

The WS_FTP Server 2020.0.0 (8.7.0) release focused on security vulnerabilities and customer issues to ensure that all security updates were applied to provide users with a secure and quality product.

The following are the main security enhancements and bug fix highlights that were applied to the 2020 release:

  • Database passwords containing special characters are accepted
  • Updated third party components to versions that address known security vulnerabilities.
  • Log viewer filters are applied to exported log data
  • Email addresses of users with a top level domain longer than 5 characters are accepted by WS_FTP Server
  • The WS_FTP Server admin log on page renders correctly
  • The installation documentation was updated to include the following important information:
    Installing WS_FTP Server on a domain controller is not supported

For details of all of the fixed vulnerabilities and issues, see Fixed Issues.

The WS_FTP Server UI and documentation were rebranded as Progress WS_FTP Server.

Support for WS_FTP Web Server will be deprecated in future releases.

Fixed Issues in 2020.0.0 (8.7.0)

The following issues were fixed in WS_FTP Server 2020.0.0 (8.7.0).

ID

Category

Fixed Issue

6007

Documentation

The installation documentation was updated to include the following important information:
Installing WS_FTP Server on a domain controller is not supported.

6208, 6219, 6222, 6256

Install, SSH, Database

There is support for special characters in database passwords during installation and database configuration.

6301

Security

The AngularJS version used for the WTM and AHT modules was upgraded to version 1.8 to prevent vulnerabilities.

6302

Security

WS_FTP Server’s cookies now have secure and HTTP only attributes.

6325

Security

The prototype.js version used in WS_FTP Server was upgraded to version 1.7.3 to prevent vulnerabilities.

6342, 6345, 6346

Security,
WTM

Fixed a directory traversal vulnerability on WS_FTP Server’s WTM interface.

6348

Logging Server

Filters that were applied to the log viewer are now also applied to the .XML export option.

6350

Users

Email addresses of users with a top level domain longer than 5 characters are now accepted by WS_FTP Server.

6351

Web Admin

The WS_FTP Server admin log on and home pages now render correctly.

6352

Security,
Server Admin

Updates were applied to the LogServer login page to protect against cross site scripting (xss).

6356

Security

Error messages were sanitized to prevent the disclosure of potentially sensitive data.

6383

Security

The FTP server (and SSH server) do not reveal the product version to unauthenticated users.

6419

Core

Sessions time out after the specified time, the default is 600 seconds, or when a client disconnects.

Fixed Issues in 2020.0.1 (8.7.1)

The following issues were fixed in WS_FTP Server 2020.0.1 (8.7.1).

ID

Category

Fixed Issue

12244

Database

Fixed an issue which caused an error connecting to SSH/FTP after database migration from PostgreSQL to MSSQL.

12769

Web Transfer Module

Web Transfer Module now successfully opens as part of application pool creation.

Fixed Issues in 2020.0.2 (8.7.2)

The following issues were fixed in WS_FTP Server 2020.0.2 (8.7.2).

ID

Category

Fixed Issue

12339

SRVR/Security

The PostgreSQL version used in WS_FTP Server was upgraded from version 10.14 to 10.20 to prevent vulnerabilities.

Fixed Issues in 2020.0.3 (8.7.3)

The following issues were fixed in WS_FTP Server 2020.0.3 (8.7.3).

ID

Category

Fixed Issue

6315, 6332, 12240, 15175, 15178, 15179, 15184, 15185

Server, Security

Addressed Cross-Site Request Forgery (CSRF) issues in WS_FTP Server Administrative interface.

15168, 15181, 15182, 15183, 15186, 15187, 15188

Server, Security

Addressed cross-site scripting (XSS) issues in WS_FTP Server Administrative interface.

Known Issues

This section details known issues and workarounds in all WS_FTP Server 2020.0 (8.7) releases.

ID

Category

Known Issue Description

15343

Install

A repair installation issue with WS_FTP Server 2020.0.0 or later, prevents users from upgrading to the next available version.

Note: This issue only affects all WS_FTP Server 2020 releases (2020.0.0, 2020.0.1, and 2020.0.2) where a repair has been applied to an upgraded installation.
For upgrade information and next steps, see this knowledge base article.

System Requirements

These requirements apply to the supporting environment and operating system where you install WS_FTP Server.

Software Requirements

Supported Operating Systems for WS_FTP Server

The Operating Systems are supported for the following WS_FTP Server configurations:

  • Standalone
  • Failover cluster using Microsoft Clustering Services
  • Failover cluster using Microsoft Network Load Balancing

Operating System

  • Windows Server 2019 Standard/Datacenter (standalone only)
  • Windows Server 2016 Standard/Datacenter (standalone only)
  • Windows Server 2012 R2 Standard/Datacenter (standalone only)

Windows Server Components Activated Automatically

The WS_FTP Server installer automatically activates certain components in your Windows Server installation. This is necessary because after installation Windows Server does not turn on non-core operating system components. However, before installing WS_FTP Server, you should ensure these changes conform to your organization’s security policies.

When you install WS_FTP Server, the install activates the following Windows Server roles:

  • ISAPI Extensions
  • Windows Authentication
  • ASP

Supported Web Browsers

The following browsers are supported for WS_FTP Server Manager and the Web Transfer and Ad-Hoc Transfer client interfaces:

  • Chrome
  • Mozilla Firefox
  • Microsoft Edge

Database Platform

WS_FTP Server requires one of the database platforms listed in the following table.

The default database platform is PostgreSQL, however during installation, you can select Microsoft SQL Server as your database for configuration data.

  • PostgreSQL 10.20
  • Microsoft SQL Server 2017 Enterprise/Standard
  • Microsoft SQL Server 2016 Enterprise/Standard

Framework and Accessibility

WS_FTP Server requires the Microsoft .NET Framework and other Microsoft packages for scripting and software accessibility. Microsoft .NET Framework 4.6 is included in the installation program.

Hardware

Minimum requirements

  • 4-core server-class CPU (For example: Intel Xeon 4-core 2+GHz)
  • 4 GB RAM
  • 250 GB or larger free disk space, depending on estimated data to be stored
  • 100/1000 MB Ethernet interface (for TCP/IP traffic)

Ad Hoc Transfer Plug-in Requirements

The following software must be installed on the machine on which you install the Ad Hoc Transfer Plug-in for Outlook.

  • Microsoft Outlook 2016, 2013, or 2010
  • Supported on Windows Operating Systems only.

Note: If you are running the installer live (not doing a silent install), the installer automatically installs the Microsoft Visual Studio redistributable programs. You do not need to download anything from Microsoft. If running a silent install, you must download and install these redistributable programs before running the install. See the Requirements in the Silent Install section.

Note: For silent installation instructions for the Ad Hoc Transfer Plug-in for Outlook, see Silent install of the Ad Hoc Transfer Plug-in for Outlook .

Upgrading

Upgrading to the latest version of WS_FTP Server ensures that you have access to the latest features, fixes, security updates, and usability improvements.

WS_FTP Server 2020.0.0 (8.7.0) supports direct upgrades from WS_FTP Server 2017 Plus (8.5) and later. For more information, see Upgrade Paths.

Upgrading information and considerations****Latest features and improvements

For the most up-to-date information about the latest supported features and improvements, see What’s New.

Hardware Requirements

Review the current WS_FTP Server System Requirements.

Activation code

The activation code is automatically applied when you run the WS_FTP Server installer to upgrade.

  • Your upgrade activation code is embedded in the installer file.
  • The activation code is also stored in the section of the Progress Community.
  • The activation code differs from your serial number. The code begins with your serial number and contains an additional eight characters.

Support for older WS_FTP Server Versions

For information about support for previous versions of WS_FTP Server, see the Product Lifecycle page on the Progress Community website. Customers running EOL or soon to be EOL versions should upgrade to WS_FTP Server 2020.

Upgrade Paths

To upgrade from an earlier version of WS_FTP Server to WS_FTP Server 2020, you must download the installer file.

  1. Login to the Progress Community.
  2. Select .
  3. Locate and download your product. Your activation code is embedded in the download file, and is automatically applied during installation.

Upgrade paths

WS_FTP Server 2020 supports direct upgrade installations from the following versions:

  • WS_FTP Server 2018 (8.6)
  • WS_FTP Server 2017 Plus (8.5)

Note: The upgrade paths are valid only on supported Operating Systems. For more information, see WS_FTP Server System Requirements.

For detailed installation and configuration instructions, or activating a new or upgraded license, see the WS_FTP Server Installation and Configuration Guide.

Note: If you upgrade from a version earlier than 2020, the default installation folders do not change. For example, the WS_FTP Server installation folder will be C:\Program Files (x86)\Ipswitch\WS_FTP Server.

Copyright Notice

© 2022 Progress Software Corporation and/or one of its subsidiaries or affiliates. All rights reserved.

These materials and all Progress® software products are copyrighted and all rights are reserved by Progress Software Corporation. The information in these materials is subject to change without notice, and Progress Software Corporation assumes no responsibility for any errors that may appear therein. The references in these materials to specific platforms supported are subject to change.

Chef, Chef (and design), Chef Infra, Code Can (and design), Compliance at Velocity, Corticon, DataDirect (and design), DataDirect Cloud, DataDirect Connect, DataDirect Connect64, DataDirect XML Converters, DataDirect XQuery, DataRPM, Defrag This, Deliver More Than Expected, DevReach (and design), Icenium, Inspec, Ipswitch, iMacros, Kendo UI, Kinvey, MessageWay, MOVEit, NativeChat, NativeScript, OpenEdge, Powered by Chef, Powered by Progress, Progress, Progress Software Developers Network, SequeLink, Sitefinity (and Design), Sitefinity, Sitefinity (and design), SpeedScript, Stylus Studio, Stylized Design (Arrow/3D Box logo), Styleized Design (C Chef logo), Stylized Design of Samurai, TeamPulse, Telerik, Telerik (and design), Test Studio, WebSpeed, WhatsConfigured, WhatsConnected, WhatsUp, and WS_FTP are registered trademarks of Progress Software Corporation or one of its affiliates or subsidiaries in the U.S. and/or other countries.

Analytics360, AppServer, BusinessEdge, Chef Automate, Chef Compliance, Chef Desktop, Chef Habitat, Chef WorkStation, Corticon.js, Corticon Rules, Data Access, DataDirect Autonomous REST Connector, DataDirect Spy, DevCraft, Fiddler, Fiddler Everywhere, FiddlerCap, FiddlerCore, FiddlerScript, Hybrid Data Pipeline, iMail, JustAssembly, JustDecompile, JustMock, KendoReact, NativeScript Sidekick, OpenAccess, PASOE, Pro2, ProDataSet, Progress Results, Progress Software, ProVision, PSE Pro, Push Jobs, SafeSpaceVR, Sitefinity Cloud, Sitefinity CMS, Sitefinity Digital Experience Cloud, Sitefinity Feather, Sitefinity Insight, Sitefinity Thunder, SmartBrowser, SmartComponent, SmartDataBrowser, SmartDataObjects, SmartDataView, SmartDialog, SmartFolder, SmartFrame, SmartObjects, SmartPanel, SmartQuery, SmartViewer, SmartWindow, Supermarket, SupportLink, Unite UX, and WebClient are trademarks or service marks of Progress Software Corporation and/or its subsidiaries or affiliates in the U.S. and other countries. Java is a registered trademark of Oracle and/or its affiliates. Any other marks contained herein may be trademarks of their respective owners.

This document was published on 10 August 2022 at 13:25

Related news

Progress Software Releases Urgent Hotfixes for Multiple Security Flaws in WS_FTP Server

Progress Software has released hotfixes for a critical security vulnerability, alongside seven other flaws, in the WS_FTP Server Ad hoc Transfer Module and in the WS_FTP Server manager interface. Tracked as CVE-2023-40044, the flaw has a CVSS score of 10.0, indicating maximum severity. All versions of the software are impacted by the flaw. "In WS_FTP Server versions prior to 8.7.4 and 8.8.2, a

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907