Bugtraq mailing list archives
Re: ftpd: the advisory version
From: djb () CR YP TO (D. J. Bernstein)
Date: Sat, 1 Jul 2000 14:23:27 -0000
Clients should not---and, as far as I know, do not---check the source TCP port for active connections from the server. See http://cr.yp.to/ftp/security.html for further comments on FTP protocol security issues. Please note that publicfile isn't just for sites where ``all you need is anonymous FTP.'' You can run publicfile as your anonymous FTP server, and run a non-anonymous FTP server on another port or IP address. (Many of wuftpd's security holes have required the attacker to log in first.) Similarly, you can use publicfile for static HTTP files, and another server for dynamic HTTP files. ---Dan
Current thread:
- Re: ftpd: the advisory version, (continued)
- Re: ftpd: the advisory version monti (Jul 07)
- Re: ftpd: the advisory version Mikael Olsson (Jul 07)
- Re: ftpd: the advisory version David Maxwell (Jul 07)
- Re: ftpd: the advisory version D. J. Bernstein (Jul 10)
- Re: ftpd: the advisory version Richard Rager (Jul 11)
- Infosec.20000712.worldclient.2.1 Rikard Carlsson (Jul 12)
- ANNOUNCE Apache::ASP v1.95 - Security Hole Fixed J C (Jul 10)
- Novell Border Manger - Anyone can pose as an authenticated user Coward, Anonymous (Jul 07)
- [RHSA-2000:042-01] BitchX denial of service vulnerability bugzilla () REDHAT COM (Jul 06)