Bugtraq mailing list archives
Re: ftpd: the advisory version
From: monti () USHOST COM (monti)
Date: Wed, 5 Jul 2000 15:16:38 -0500
On Fri, 30 Jun 2000, Carson Gaspar wrote:
I.e. publicfile is able to drop root privs because it stops using port 20 when creating data connections in response to a PORT command. It's against the spec but works with most clients.Mike> Against spec, it may be, but in my opinion, it makes more sense. FYI, it violates a SHOULD, it doesn't violate a MUST, so it is officially in spec.
Regardless of whether it is in or out of spec, IMO it is a terribly bad idea. Netware's FTP server is a good example of what goes wrong in with this in practice. Either unintentionally or for whatever reason, they neglect to follow the src port 20 convention, and it has disastrous effects in relation to firewalls and IP-redirectors. Aside from the serious security complexities involved with actually *allowing* other than src-20 active data connections through a firewall, many "man-in-the-middle" products have been hard-coded to work only with it. As we saw with recent postings on bugtraq regarding Stateful inspection and sometimes application proxy weaknesses in trying to open dynamic ftp-data ports, even the current state is pretty bad. Loosening the defacto standard even more will make it much much worse. Just my opinion, but one based on alot of headache from past experience. Eric Monti monti () ushost com
Current thread:
- Re: ftpd: the advisory version Valdis Kletnieks (Jun 30)
- Re: ftpd: the advisory version Tom Perrine (Jul 02)
- Conclusion to recent working WuFTPD Exploits Eric Hines (Jul 05)
- <Possible follow-ups>
- Re: ftpd: the advisory version Carson Gaspar (Jun 30)
- Re: ftpd: the advisory version Mike Gleason (Jul 02)
- [RHSA-2000:016-03] Multiple local imwheel vulnerabilities bugzilla () REDHAT COM (Jul 03)
- Re: ftpd: the advisory version monti (Jul 05)
- Re: ftpd: the advisory version D. J. Bernstein (Jul 06)
- Re: ftpd: the advisory version monti (Jul 07)
- Re: ftpd: the advisory version Mikael Olsson (Jul 07)
- Re: ftpd: the advisory version David Maxwell (Jul 07)
- Re: ftpd: the advisory version D. J. Bernstein (Jul 10)
- Re: ftpd: the advisory version Richard Rager (Jul 11)
- Infosec.20000712.worldclient.2.1 Rikard Carlsson (Jul 12)
- ANNOUNCE Apache::ASP v1.95 - Security Hole Fixed J C (Jul 10)
- Novell Border Manger - Anyone can pose as an authenticated user Coward, Anonymous (Jul 07)