Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Re: ftpd: the advisory version

From: mgleason () NCFTP COM (Mike Gleason)
Date: Sun, 2 Jul 2000 14:26:52 -0500

At 08:05 PM 6/30/00 -0400, Carson Gaspar wrote:

"Mike" == Mike Eldridge <diz () CAFES NET> writes:


Mike> On Tue, 27 Jun 2000, Olaf Kirch wrote:

I.e. publicfile is able to drop root privs because it stops using port 20
when creating data connections in response to a PORT command. It's
against the spec but works with most clients.


Mike> Against spec, it may be, but in my opinion, it makes more sense.

FYI, it violates a SHOULD, it doesn't violate a MUST, so it is officially in
spec.


Most (if not all) FTP client programs don't give a flying squirrel if an
incoming PORT connection to them is originating from port 20 or not.

However, it should be noted that firewalls *do* care.  It's been awhile
since I've checked, but at least one major firewall vendor (I think it was
FireWall-1 from Check Point) silently discards the connection if it isn't
coming from port 20.  This problem came up a few years ago when people were
reporting that NcFTPd Server was timing out data connections because NcFTPd
thought it could get away without binding its side to port 20.

Mike Gleason
NcFTP Software
http://www.NcFTP.com
Previous By Date Next
Previous By Thread Next

Current thread: