02Jul

Secure FTP (Implicit and Explicit FTPS)


We’re excited to announce that the Mr.Host FTP servers have been upgraded to support secure encrypted connections, for all Mr.Host web hosting customers.

We’ve included support for both “implicit” SSL (running on port 990), and “explicit” (also referred to as TLS, AUTH TLS or FTPES), running the standard FTP port 21.

 

How to Upgrade

We’ve added a Knowledge Base article with details on how to enable encrypted FTP in the most common FTP clients, available here:

http://mrhost.ca/system/knowledge-base/ftp-access/ftp-client-setup/secure-ftp-using-ssl-encryption-with-ftp/

If you have any questions or need help configuring your FTP client, you can contact us @help@mrhost.ca

 

Technical Stuff – Implicit vs Explicit vs FTPS vs SFTP

There seems to be a lot of confusion over the different types of secure FTP, as there are several methods of securely transferring files that have been called “Secure FTP” at one point or another:

FTPS

Explicit FTPS  is an extension to the FTP standard that allows clients to request that the FTP session be encrypted. This is done by sending the “AUTH TLS” command. The server has the option of allowing or denying connections that do not request TLS. This protocol extension is defined in the proposed standard: RFC 4217.

Implicit FTPS is a deprecated standard for FTP that required the use of a SSL or TLS connection. It was specified to use different ports than plain FTP (usually port 990).

Mr.Host support both of these FTPS methods.

SFTP

Is not actually FTP, but a method for copying files over an SSH connection, using a similar command set.

Mr.Host does not currently support this.

02Jul

PHP 5.3.14 Upgrade


This evening all Mr.Host web servers have been upgraded to PHP 5.3.14. We missed a few updates between 5.3.10 and 5.3.14, so this post outlines all the changes since 5.3.10.

5.3.11

Security Enhancements for both PHP 5.3.11 and PHP 5.4.1:

    • Fixed bug #54374 (Insufficient validating of upload name leading to corrupted $_FILES indices). (CVE-2012-1172).
    • Add open_basedir checks to readline_write_history and readline_read_history.

Security Enhancement affecting PHP 5.3.11 only:

    • Fixed bug #61043 (Regression in magic_quotes_gpc fix for CVE-2012-0831).

Key enhancements in these releases include:

    • Added debug info handler to DOM objects.
    • Fixed bug #61172 (Add Apache 2.4 support).

5.3.12, 5.3.13

The releases complete a fix for a vulnerability in CGI-based setups (CVE-2012-2311). Note: mod_php and php-fpm are not vulnerable to this attack.

PHP 5.4.3 fixes a buffer overflow vulnerability in the apache_request_headers() (CVE-2012-2329). The PHP 5.3 series is not vulnerable to this issue.

5.3.14

The release fixes multiple security issues: A weakness in the DES implementation of crypt and a heap overflow issue in the phar extension

PHP 5.4.4 and PHP 5.3.14 fixes over 30 bugs. Please note that the use of php://fd streams is now restricted to the CLI SAPI

For a full list of changes from PHP v 5.3.10 to 5.3.14, see the ChangeLog.