COMMAND

	Eserv ftpd DoS

SYSTEMS AFFECTED

	Eserv 2.97

PROBLEM

	In Arne Vidstrom [http://ntsecurity.nu] advisory :
	

	The FTP server doesn\'t close the sockets that are allocated from  using
	the PASV command. After all  ports  from  1024  to  5000  are  listening
	(after running a lot of PASV  commands  in  a  row)  no  users  can  use
	passive mode anymore until the server is restarted.
	

	This vulnerability is made even worse by the fact that the PASV  command
	is accepted before the user has authenticated.
	

	-Also-
	

	The FTP server is vulnerable to the bounce attack. Not only does it  not
	have a restriction on the IP address that the data connection is  opened
	to, but it also does not have a restriction on the  target  port  number
	at all.

SOLUTION

	The lastest beta version fixes these two vulnerabilities and it  can  be
	found at:
	

	ftp://ftp.eserv.ru/pub/beta/2.98/