SFTPPlus Release 3.33.0

Mon 23 April 2018 | security release

We are pleased to announce the latest release of SFTPPlus version 3.33.0.

This is a significant release in that it supports the Internet's next generation protocol, IPv6, for all server-side functionalities.

As we begin to hit the upper limit of IPv4 addresses, the current standard, what matters to us is to enable our customers and their businesses to set up their services on IPv6 with SFTPPlus.

In addition to IPv6 support, the following are new features and defect fixes associated with this release.

New Features

  • A new authentication method was added which allows the server to read application accounts from a separate file. [server-side] [#1056]
  • It is now possible to configure the supported ciphers for an SFTP location using the ssh_cipher_list configuration option. [#4619]
  • The FTP and FTPS file transfer services now support IPv6 as specified in RFC 2428. [server-side][ftp][ftps] [#4823-1]
  • The HTTP and HTTPS file transfer services now support IPv6. [server-side][http][https] [#4823]
  • The event with ID 30011 now contains details about the encryption used by the SFTP and SCP connections. [server-side][sftp][scp] [#4850]

Defect fixes

  • A defect was fixed in the SFTP service for the chmod operation. In previous versions, the chmod was ignored and always returned a success result. [server-side][sftp] [#4338]
  • The HTTP PUT method of the file transfer service now returns a correct code when the HTTP request contains Expect: 100-continue and the request fails to be authenticated. [server-side][http][https] [#4856]
  • When uploading files into an empty folder using a web browser which has Javascript enabled, you will now see the uploaded file in the folder listing. This issue was introduced in 3.31.0. This was not an issue for web browsers with Javascript disabled. [server-side][http][https] [#4865]
  • The HTTP file transfer service will now force any file to be downloaded by the browser. Previously, it was displaying HTML or images inside the browser without forcing a download. [server-side][http][https][security] [#4877-1]
  • The HTTP file transfer service and the Local Manager service were updated to prevent cross-site request forgery (CSRF / XSRF) attacks by validating the Origin and Referer headers against the Host header. [server-side][http][https][security] [#4877]
  • The HTTP file transfer service will now set the session cookie using the httpOnly and 'sameSite' options. [server-side][http][https][security] [#4881]
  • The error messages in the HTTP service were updated to prevent cross site scripting attacks (XSS). [server-side][http][https] [#4884]

You can check the full release notes here.