Do you think this should be a configurable option? I tested with some other servers and they DO ALLOW steal the data connection from a different client. I believe it is to facilitate site to site transfers. Let me know.
On Wed, Aug 12, 2009 at 2:56 PM, Niklas Gustavsson (JIRA)<[email protected]> wrote: > > [ > https://issues.apache.org/jira/browse/FTPSERVER-323?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12742544#action_12742544 > ] > > Niklas Gustavsson commented on FTPSERVER-323: > --------------------------------------------- > > If this happens, and it should be a very uncommon event, I think we should > close the data connection. It is after all known by the hacker, so better > safe than sorry. > >> Passive Data connections should check the remote IP address before starting >> the data transfer >> --------------------------------------------------------------------------------------------- >> >> Key: FTPSERVER-323 >> URL: https://issues.apache.org/jira/browse/FTPSERVER-323 >> Project: FtpServer >> Issue Type: Bug >> Affects Versions: 1.0.2 >> Reporter: Sai Pullabhotla >> Fix For: 1.1.0 >> >> >> In the current version it is possible for a hacker to connect to any passive >> port that is currently waiting for a connection and read/write data off that >> connection. We should implement a check in place to make sure the IP address >> of the remote host is same as the one we are expecting, if not, close the >> data connection right way. After closing the data connection we can do one >> of the following: >> 1. Wait for incoming connection again so the original client can connect >> 2. just quit and send a reply back to the client that the data connection is >> closed. We need to figure out what reply we want to send in this case. >> What do you guys think we should do? > > -- > This message is automatically generated by JIRA. > - > You can reply to this email to add a comment to the issue online. > >
