back to article Now MOVEit maker Progress patches holes in WS_FTP

Progress Software, maker of the mass-exploited MOVEit document transfer tool, is back in the news with more must-apply security patches, this time for another file-handling product: WS_FTP. We're told this software's ad hoc transfer module and WS_FTP's server management interface were found to have eight vulnerabilities, with …

  1. Doctor Syntax Silver badge

    We've been pushing information backwards and forwards between boxes for longer than the almost 40 years since I started in IT. FTP is one of the oldest tools I've used for the job. There have been some long standing, solid implementations since well before .Net was even thought of. Why anyone thought a reinvention of that wheel should be necessary is beyond my comprehension. And countless sysadmins have scripted ftp and the like into their processes for years without the need for some 3rd party overlay which I presume is to make it easier for businesses that aren't prepared to employ admins with scripting skills.

    Adding that up it's a substantial increase of the attach surface most likely accompanied by a weakening of the guard. Is anyone surprised we have problems like this? And weren't we supposed to replace FTP with something that didn't sedn passwords in plain text years ago?

    1. Kevin McMurtrie Silver badge

      FTP doesn't even need MITM attacks. Simply guessing the next port to be used for a file transfer can be good enough. You can give it points for not pretending to be secure enough for anything but an air-gapped network. The bad news doesn't seem to stop for Progress.

    2. abend0c4

      Why anyone thought a reinvention of that wheel should be necessary

      For the same reason telnet has been replaced by ssh - it just doesn't cut it anymore.

      As it happens, WS_FTP was originally a shareware FTP implementation for Windows and although it's incorporated features such as https and ssh none of them are reinventions per se, they're all standard protocols. The "feature" of WS_FTP is its Windows GUI, but as far as I'm aware the actual file transfer part has been generally regarded as "long standing" and "solid" until now. I suspect MOVEit is essentially just parts of WS_FTP with workflow automation.

      It's a similar situation with Exim. You could ask why you would even bother given there was already a long-standing sendmail implementation since the early days - that's assuming you've never attempted to configure sendmail. Exim has also been around a long time and been quite well regarded.

      I think there's a bigger lesson here and one we keep failing to learn, though perhaps we might just be starting to. It doesn't matter how good your reputation is or how much care you take - it's just too easy for errors of this kind to occur and some are always going to slip through with the tools we have and the consequences are disproportionate to the scale of the error. The problem is not that we're failing to use old and trusted code, the problem is that the old code isn't as trustworthy as we think and it's unnecessarily difficult to create new code that we can trust more.

      1. Doctor Syntax Silver badge

        If it includes sftp that's at least a start. But bolting on a GUI would be worrying.

        And yes, I have tried configuring sendmail. Once. Long ago.

        1. Vometia has insomnia. Again. Silver badge

          For some reason I just couldn't get my head around sendmail. It doesn't strike me as that complicated, but it just seemed to exist in a persistent blind spot of mine. I eventually gave up and used Postfix instead which I found far less cryptic. Sendmail's configuration weirdness reminded me a lot of the same problem I had with csh scripting, which I figured should be straightforward as someone familiar with C and sh, but I eventually gave up with that for the same reason.

          1. Anonymous Coward
            Anonymous Coward

            Any references to sendmail configuration complexity are likely referring to the original method of modifying sendmail.cf by hand *before* sendmail switched to using m4 macros to generate sendmail.cf (which made it somewhat easier to configure).

            Been there, done that, still trying to forget about it lol

  2. t245t
    Terminator

    WS_FTP's server management interface

    Anything that has a web browser on the end is invariably open to such attacks.

  3. Anonymous Coward
    Anonymous Coward

    WS_FTP?

    That's still a thing?

    1. 42656e4d203239 Silver badge

      Re: WS_FTP?

      yup - but no longer [free,share]ware.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like