Passive Data connections should check the remote IP address before starting the
data transfer
---------------------------------------------------------------------------------------------
Key: FTPSERVER-323
URL: https://issues.apache.org/jira/browse/FTPSERVER-323
Project: FtpServer
Issue Type: Bug
Affects Versions: 1.0.2
Reporter: Sai Pullabhotla
Fix For: 1.1.0
In the current version it is possible for a hacker to connect to any passive
port that is currently waiting for a connection and read/write data off that
connection. We should implement a check in place to make sure the IP address of
the remote host is same as the one we are expecting, if not, close the data
connection right way. After closing the data connection we can do one of the
following:
1. Wait for incoming connection again so the original client can connect
2. just quit and send a reply back to the client that the data connection is
closed. We need to figure out what reply we want to send in this case.
What do you guys think we should do?
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
