[
https://issues.apache.org/jira/browse/FTPSERVER-323?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Sai Pullabhotla updated FTPSERVER-323:
--------------------------------------
Component/s: Core
Issue Type: New Feature (was: Bug)
Summary: Add a new configuration option for enabling/disabling IP check
when accepting passive data connections (was: Passive Data connections should
check the remote IP address before starting the data transfer)
Changed the title to better match the resolution we came up with.
> Add a new configuration option for enabling/disabling IP check when accepting
> passive data connections
> ------------------------------------------------------------------------------------------------------
>
> Key: FTPSERVER-323
> URL: https://issues.apache.org/jira/browse/FTPSERVER-323
> Project: FtpServer
> Issue Type: New Feature
> Components: Core
> Affects Versions: 1.0.2
> Reporter: Sai Pullabhotla
> Fix For: 1.1.0
>
> Attachments: FTPSERVER-323.patch
>
>
> In the current version it is possible for a hacker to connect to any passive
> port that is currently waiting for a connection and read/write data off that
> connection. We should implement a check in place to make sure the IP address
> of the remote host is same as the one we are expecting, if not, close the
> data connection right way. After closing the data connection we can do one of
> the following:
> 1. Wait for incoming connection again so the original client can connect
> 2. just quit and send a reply back to the client that the data connection is
> closed. We need to figure out what reply we want to send in this case.
> What do you guys think we should do?
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
