Re: ws_ftp pro 6.51 exposes internal IP addresses

[Adam Prato <sirsyko () MERGIOO ISHIBOO COM>]

On Mon, Jul 31, 2000 at 09:07:13AM -0400, Crawling KingSnake wrote:
> ws_ftp pro 6.51 exposes internal IP addresses when connecting using PASV
> mode and the target site is using ipfilter. This was tested on a network
> using OpenBSD 2.7 as the firewall/gateway with several internally addressed
> machines running different server applications. Here is a log:
[...]
> PASV
> 227 Entering Passive Mode (192,168,1,5,6,184).
> connecting to 192.168.1.5:1720
>
> I have cleansed the log to protect the network. But as you can see the first
> attempt fails and somehow the internal address is exposed to ws_ftp and then
> to the user. The second login attempt happens automatically, immediately
> after the first login failure. A malicious person could use this information
> to specifically target the internal machines if/when a breach of the gateway
> box occurs.
>
> Vendor was notified but no response.

what is the vendor supposed to do? This is an administration issue. If you
are protecting your network via a firewall, and you intend to hide all aspects
of your network hierarchy, then you'll want to disable passive ftp.

Unless ws_ftpd is not capable of disabling passive ftp, this doesnt sound like
a vendor issue.

<ss>