D. J. Bernstein
Internet publication

publicfile

How to install publicfile
The configure program
The httpd program
The ftpd program
Log information

User's guide
File types

Notes on performance


publicfile is discussed on the publicfile mailing list.

What is it?

publicfile supplies files to the public through HTTP and FTP.

Security features:

HTTP features:

FTP features:

Other HTTP servers and FTP servers

Apache is a big, powerful HTTP server, by far the most widely installed server on the Internet. Unfortunately, the code base has a history of security problems: Apache before version 1.1.3 allowed remote users to take over the web server, and Apache before version 1.2.5 (1998-01) allowed local users to take over the web server. Are the authors confident that no such problems will ever happen again?

Similar comments apply to wu-ftpd, the most widely installed FTP server on the Internet. wu-ftpd has had several bugs that allowed remote users to take over the entire machine: one fixed in version 2.0 (1993-04), one fixed in version 2.4 (1994-04), one fixed in version 2.4.2-beta18-VR10 (1998-11), one fixed in version 2.6.0 (1999-10), one fixed in version 2.6.1 (2000-07), and one fixed in version 2.6.2 (2001-11).

ProFTPD has had several bugs that allowed remote users to take over the entire machine: one fixed in version 1.2.0pre2 (1999-02), one fixed in version 1.2.0pre4 (1999-09), one fixed in version 1.2.0pre5 (1999-09), one fixed in version 1.2.0pre6 (1999-09), one fixed in version 1.2.0pre8 (1999-10), and one fixed in version 1.2.0rc1 (2000-07). As of 2000-07, ProFTPD continues to be advertised as a ``secure'' FTP server.

Many versions of the BSD ftpd, including the HP-UX 10 ftpd and the ``audited'' OpenBSD 2.7 ftpd, have had a bug allowing remote users to take over the entire machine.

Some versions of fhttpd allowed remote users to take over the entire machine. ``I don't think bugs of this kind are left in it,'' the author says. How much is he willing to bet?

I found security holes in thttpd, fixed in version 2.05 (1999-11), allowing remote users to take over the web server under typical configurations. I've heard that there were also security holes fixed in version 2.04 (1998-08); I don't know how severe they were. As of 1999-11, thttpd continues to be advertised as a ``secure'' HTTP server. It ``goes to great lengths to protect the web server machine against attacks and breakins from other sites,'' the author says.

On the bright side, I haven't heard about any security holes in aftpd or mathopd.

For more information on HTTP server security (and browser security), see Lincoln D. Stein's WWW Security FAQ.

Hey, what about Windows?

Microsoft's web server for Windows, IIS, has had at least four different security holes allowing remote users to take over the machine. It has also had several security holes allowing remote users to corrupt files or steal files. The BisonWare FTP server for Windows, the Cat Soft Serv-U FTP server for Windows, the Caltech ExpressFS FTP server for Windows, the Omnicron OmniHTTPD HTTP server for Windows, and the WFTPD FTP server for Windows have each had security holes allowing remote users to take over the machine.