Using an Internet Browser for FTP with an OES FTP server fails to prompt for password

  • 7011486
  • 11-Dec-2012
  • 12-Dec-2012

Environment

Novell Open Enterprise Server 2 (OES 2) Linux Support Pack 2
Novell Open Enterprise Server 2 (OES 2) Linux Support Pack 3
Novell Open Enterprise Server 11 (OES 11) Linux

Situation

An FTP URL without a user name or password is entered into a browser such as Internet Explorer.  The URL points to an OES FTP server.  The user is not prompted for their user name and password, and the session fails.
 
TCP level troubleshooting proves that the TCP connection was established successfully, but disconnect happened upon the authentication attempt.  So it is not a connectivity issue.

Resolution

As a user-level workaround, a browser can be given a user name in the URL, in the format:
 
Optionally, a password can also be included in the URL:
 
Of course, the abnormal type of failure should not be occurring.  The weakness in the code (an invalid memory pointer in OES enhancements to pure-ftpd) has been identified and corrected.  Even so, actual failures from this particular weakness have proven to be rare.  The exact conditions necessary to trigger the problem are not known, and it is not easily reproducible in test environments.
 
For systems running OES 11 SP1:  The issue is already corrected in the package "novell-oes-pure-ftpd" which shipped with OES 11 SP1.
 
For systems running OES 11 SP0 (aka OES 11 without any support pack):  The FTP service there is provided by the pure-ftpd package, which is part of SLES 11 SP1.  SLES 11 SP1 is no longer in maintenance, so a public release of the fix is not planned.  The recommended solution is to update to SLES 11 SP2 and OES 11 SP1.  However, if a fix is needed before such updates can be performed, email dpartrid@novell.com for a test version of the fix, which can be run on OES 11 SP0.
 
For systems running OES 2 SP3:  This symptom has never been reported on OES 2 SP3.  However, until recently, the vulnerability still existed in the code.  Hypothetically, under certain unknown conditions, the problem might occur.  If so, the system will need to be running SLES 10 SP4, and then pure-ftpd should be updated with maintenance updates.  Specifically, update to version 1.0.22-0.30.1 or greater.
 
For systems running OES 2 SP2 and experiencing this issue:  OES 2 SP2 was out of maintenance before this issue was corrected.  No test fix exists.  The system should be updated to OES 2 SP3.  For all known cases of this issue on OES 2 SP2, the symptom was eliminated by moving to OES 2 SP3.

Cause

When a browser is given an FTP URL without a user name (i.e.  ftp://server1 ) it first attempts an anonymous login.  If this fails with a normal login failure (as it should, if the FTP server does not support anonymous login), the browser will then ask the user for their name and password, and attempt to login with those.
 
However, in some cases, the anonymous login may fail abnormally, resulting in a closed TCP connection, rather than the return of a normal error message.  In this event, a browser will likely consider the session aborted, and will not prompt the user for their credentials.  Attempts to refresh or reconnect will simply repeat the failure.