Re: ws_ftp pro 6.51 exposes internal IP addresses

[Adam Prato <sirsyko () MERGIOO ISHIBOO COM>]

On Tue, Aug 01, 2000 at 12:07:07PM -0400, Crawling KingSnake wrote:
> How so is this an administrative issue?  ws_ftp is the only one that does
> this.  Other clients connect successfully using PASV mode.  Maybe you should
> reread the statement and not be so quick to jump on the "administrator at
> fault" excuse.  The server does not have the bounce attack enabled but the
> client must use PASV to connect because of the firewall.  Those are two
> different issues.  Please try to understand the situation before responding
> since these responses prove wasteful.

a) my comments werent directed as an attack. I just failed to see the
   "vulnerability" in this issue.

b) how does ws_ftp pro 6.51 behave any differently than any other client when
connecting to a remote server? If you have a server behind a firewall, and
you intend to allow ftp connections to said server, *and* you intend to
protect the topology about the network behind said firewall, you will need to
disable passive ftp.

Regardless of the operating system or the ftp daemon that the operating system
runs, you'll need to disallow passive ftp in order to keep the topology
information secret. The passive (PASV) command will always return this
information. Try setting up other ftp daemons on other ports redirected by the
IPFilter firewall. For example, if you use the passive command against solaris
ftpd, you will see information about the solaris machine's internal ip address.

I fail to see how ws_ftp is any more capable of compromising the security of
a remote environment since all ftp clients will behave this way. The
information given to the ws_ftp client is the same information that any server
will give to any client.

c) since this is a "development" list, I didnt see my comments as wasteful.
I merely posed a conjecture that I wanted to be refuted, if possible.

If this is truly a vulnerability, please explain why it is a vulnerability,
rather than attacking the usefulness of my posts.


<ss>


> On Mon, Jul 31, 2000 at 09:07:13AM -0400, Crawling KingSnake wrote:
> > ws_ftp pro 6.51 exposes internal IP addresses when connecting using PASV
> <snip>
> > Vendor was notified but no response.
>
> what is the vendor supposed to do? This is an administration issue. If you
> are protecting your network via a firewall, and you intend to hide all
> aspects
> of your network hierarchy, then you'll want to disable passive ftp.
>
> Unless ws_ftpd is not capable of disabling passive ftp, this doesnt sound
> like
> a vendor issue.
>
> <ss>
>
>
> ______________________________________________
> FREE Personalized Email at Mail.com
> Sign up at http://www.mail.com/?sr=signup