[ https://issues.apache.org/jira/browse/FTPSERVER-323?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12742544#action_12742544 ]
Niklas Gustavsson commented on FTPSERVER-323: --------------------------------------------- If this happens, and it should be a very uncommon event, I think we should close the data connection. It is after all known by the hacker, so better safe than sorry. > Passive Data connections should check the remote IP address before starting > the data transfer > --------------------------------------------------------------------------------------------- > > Key: FTPSERVER-323 > URL: https://issues.apache.org/jira/browse/FTPSERVER-323 > Project: FtpServer > Issue Type: Bug > Affects Versions: 1.0.2 > Reporter: Sai Pullabhotla > Fix For: 1.1.0 > > > In the current version it is possible for a hacker to connect to any passive > port that is currently waiting for a connection and read/write data off that > connection. We should implement a check in place to make sure the IP address > of the remote host is same as the one we are expecting, if not, close the > data connection right way. After closing the data connection we can do one of > the following: > 1. Wait for incoming connection again so the original client can connect > 2. just quit and send a reply back to the client that the data connection is > closed. We need to figure out what reply we want to send in this case. > What do you guys think we should do? -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online.