[ https://issues.apache.org/jira/browse/FTPSERVER-323?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12747422#action_12747422 ]
Sai Pullabhotla commented on FTPSERVER-323: ------------------------------------------- Okay, the code is checked in for #323. I opened a new case for the constructors. Thanks. Sai Pullabhotla www.jMethods.com On Tue, Aug 25, 2009 at 7:37 AM, Niklas Gustavsson > Passive Data connections should check the remote IP address before starting > the data transfer > --------------------------------------------------------------------------------------------- > > Key: FTPSERVER-323 > URL: https://issues.apache.org/jira/browse/FTPSERVER-323 > Project: FtpServer > Issue Type: Bug > Affects Versions: 1.0.2 > Reporter: Sai Pullabhotla > Fix For: 1.1.0 > > Attachments: FTPSERVER-323.patch > > > In the current version it is possible for a hacker to connect to any passive > port that is currently waiting for a connection and read/write data off that > connection. We should implement a check in place to make sure the IP address > of the remote host is same as the one we are expecting, if not, close the > data connection right way. After closing the data connection we can do one of > the following: > 1. Wait for incoming connection again so the original client can connect > 2. just quit and send a reply back to the client that the data connection is > closed. We need to figure out what reply we want to send in this case. > What do you guys think we should do? -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online.