[jira] Commented: (FTPSERVER-323) Passive Data connections should check the remote IP address before starting the data transfer

Tue, 25 Aug 2009 04:59:32 -0700 

    [ 
https://issues.apache.org/jira/browse/FTPSERVER-323?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12747367#action_12747367
 ] 

Sai Pullabhotla commented on FTPSERVER-323:
-------------------------------------------

I will fix the typo.

The public constructors in the FtpReply implementations do not have
anything to do with this issue. I was going to open a new issue for
that. I think it would be nice to have the constructors public so
Ftplets can create and send specific type of reply. I currently do
this in one of my Ftplets and then I've some code that takes the reply
object and does audit logging. So, basically, my audit logger is built
around FtpRequest, Session and FtpReply objects. Hope it makes sense.
Let me know what you think.

Sai Pullabhotla
www.jMethods.com




On Tue, Aug 25, 2009 at 2:07 AM, Niklas Gustavsson


> Passive Data connections should check the remote IP address before starting 
> the data transfer
> ---------------------------------------------------------------------------------------------
>
>                 Key: FTPSERVER-323
>                 URL: https://issues.apache.org/jira/browse/FTPSERVER-323
>             Project: FtpServer
>          Issue Type: Bug
>    Affects Versions: 1.0.2
>            Reporter: Sai Pullabhotla
>             Fix For: 1.1.0
>
>         Attachments: FTPSERVER-323.patch
>
>
> In the current version it is possible for a hacker to connect to any passive 
> port that is currently waiting for a connection and read/write data off that 
> connection. We should implement a check in place to make sure the IP address 
> of the remote host is same as the one we are expecting, if not, close the 
> data connection right way. After closing the data connection we can do one of 
> the following: 
> 1. Wait for incoming connection again so the original client can connect 
> 2. just quit and send a reply back to the client that the data connection is 
> closed. We need to figure out what reply we want to send in this case. 
> What do you guys think we should do? 

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

Reply via email to