On Mon, Oct 25, 1999 at 08:05:56PM +0600, CyberPsychotic wrote:
> ~ :> + int rover = tcp_port_rover+jiffies%(high-low);
> ~ :>
> ~ :> do { rover++;
> ~ :> if ((rover < low) || (rover > high))
> ~ :
> ~ :I'm not qualified to comment whether or not randomizing the port numbers
> ~ :would be a good idea.
>
> well, it exposes (at least) some problems with ftp. Both client (active
> mode) and server (passive mode). While user X is connecting to server to
> fetch/put files, user Y could figure out the current binded port number by
> simply connecting to the same server and issuing `pasv'. [...]
FTP servers and clients should verify that the one who connects is the one
who said he would. This is easily done based on the IP address (although
IPmasq hosts make things a bit weirder). I've often wondered if they
actually did check this, but I've never actually looked.
Have fun,
Avery
-
To unsubscribe from this list: send the line "unsubscribe linux-net" in
the body of a message to [EMAIL PROTECTED]
