ZeddYu Lu <zeddyu...@gmail.com> writes: > Last year, curl had a security update for CVE-2020-8284. more info, see > https://hackerone.com/reports/1040166 > > The problem is ftp client trust the host from PASV response by default, A > malicious server can trick ftp client into connecting back to a given IP > address and port. This may make ftp client scan ports and extract service > banner from private newwork.
Thank you for the report! Indeed this seems real, and a quite old bug. The solution by others (to just ignore the IP address sent by the server, and use the one provided by the local user instead) is good. This is an ancient tool that may be used to connect to ancient servers that for some reason could behave like this. I think it would be nice to offer the old behaviour as an option, like curl did. I have looked around to see how other command-line ftp clients patched this bug, but cannot find any good patterns. Are you aware of any patches to similar old ftp clients like ours? As far as I can tell, NetKit-ftp isn't patched against this bug. /Simon
signature.asc
Description: PGP signature