Potential security bug

2007-05-13 Thread Niklas Gustavsson

Hey

Mozilla has recently made a fix to their FTP client that ignores the 
provided IP address in the PASV command. I'm a bit curious if this is 
anything that would affect us as well (probably in the case of the PORT 
command) and would like your feedback.


More info on the Mozilla bug over here:
http://www.mozilla.org/security/announce/2007/mfsa2007-11.html

/niklas



Re: Potential security bug

2007-05-14 Thread Niklas Gustavsson

Niklas Gustavsson wrote:

Hey

Mozilla has recently made a fix to their FTP client that ignores the 
provided IP address in the PASV command. I'm a bit curious if this is 
anything that would affect us as well (probably in the case of the PORT 
command) and would like your feedback.


More info on the Mozilla bug over here:
http://www.mozilla.org/security/announce/2007/mfsa2007-11.html


I should probably also point out that we already cam do one check and 
that is that the data socket address has to be the same as the client 
address. This check is by default disabled, but can be activated using:

config.listeners..data-connection.active.ip-check=true

Should we maybe activate this check by default?

/niklas