>Number: 3605 >Category: mod_proxy >Synopsis: Some anonymous FTP URLs ask for authentication >Confidential: no >Severity: serious >Priority: medium >Responsible: apache >State: open >Class: sw-bug >Submitter-Id: apache >Arrival-Date: Tue Dec 29 13:10:00 PST 1998 >Last-Modified: >Originator: [EMAIL PROTECTED] >Organization: apache >Release: 1.3.3 >Environment: Running Linux 2.0.34 (RedHat 5.2), Apache 1.3.3. >Description: Clients accessing my apache proxy for only *some* ftp URLs get a prompt to enter a username and password, even when no username is given and anonymous access is supposed to be the default (ftp://ftp.cdrom.com/ is the famous one; there's one other that I haven't confirmed). Entering "anonymous" and "[EMAIL PROTECTED]" makes it go away, but it appears for each download and directory change, and doesn't even remember the last "anonymous" and "[EMAIL PROTECTED]" password at the very least.
Also, probably related: All FTP URLs of the form ftp://[EMAIL PROTECTED]/ pop up the authentication box, but do not remember the username (i.e., both boxes are blank). As far as I can tell, ftp://[EMAIL PROTECTED]/ only serves to pop up a blank authentication box. ftp://user:[EMAIL PROTECTED]/ works fine, but is not a good choice at all. The Apache proxy server is nice, and I hope development continues on it. I especially would like to see FTP PUTs work, as a normal FTP proxy is terribly unsecure with the packet access that has to be allowed. >How-To-Repeat: Using apache 1.3.3 proxy and a Netscape 4.x client, try ftp://ftp.cdrom.com/ >Fix: I suppose cdrom.com has a special ftp server that challenges Apache. Apache might recognize this challenge and substitute anonymous. Or at least remember the previous anonymous user and password... >Audit-Trail: >Unformatted: [In order for any reply to be added to the PR database, ] [you need to include <[EMAIL PROTECTED]> in the Cc line ] [and leave the subject line UNCHANGED. This is not done] [automatically because of the potential for mail loops. ] [If you do not include this Cc, your reply may be ig- ] [nored unless you are responding to an explicit request ] [from a developer. ] [Reply only with text; DO NOT SEND ATTACHMENTS! ]
