On Sun, 2007-03-04 at 17:13 +0000, mark wrote: > There's a new paper/advisory at: http://bindshell.net/papers/ftppasv > > Here's a quick summary: > > A common implementation flaw in FTP clients allows FTP servers > to cause clients to connect to other hosts. This seemly small vulnerability > has some interesting consequences for web browser security (namely in > Firefox, Opera and Konqueror). > > This paper discusses the FTP client flaw in detail and demonstrates how > it can be used to attack web browsers... (snip) I wouldn't say it's an implementation flaw. As the paper says, it's not contrary to the RFC; in fact, it's exactly as the RFC says. The inclusion of the IP in the PASV response is there for a purpose: saying to the client "connect there, and nowhere else for the content you requested". 30 years ago, in an era of 1200bps modems and tiny little boxes connected to those wires, the ability to have completely controllable data flows that didn't had to go back and forth between multiple clients and servers was seductive. Of course, as you also remark, there's little practical use of that feature by today's standards. If anything, IE's ignorance of the IP is the flaw: it's non conformant. It also happens to be the more secure behaviour though, so don't expect me to agitate the flag and insist they conform to standards on this. The RFC 2428 extended the PASV command to EPSV. EPSV does what you seem to expect the PASV to do: get a TCP port to connect to, and let the IP be the same as the control connection. However, not every FTP server support this, and many firewalls/NAT boxes will fail to detect the command and will not open the data conduit for the FTP transfer when thus ordered. -- Vincent ARCHER varcher@xxxxxxxxxxx Tel : +33 (0)1 40 07 47 14 Fax : +33 (0)1 40 07 47 27 Deny All - 23, rue Notre Dame des Victoires - 75002 Paris - France
