~ :> mode) and server (passive mode). While user X is connecting to server to
~ :> fetch/put files, user Y could figure out the current binded port number by
~ :> simply connecting to the same server and issuing `pasv'. [...]
~ :
~ :FTP servers and clients should verify that the one who connects is the one
~ :who said he would.
they should. but some of them don't. NCFTPd for example.
~ : This is easily done based on the IP address (although
~ :IPmasq hosts make things a bit weirder). I've often wondered if they
~ :actually did check this, but I've never actually looked.
well, it never was required to perform such checks by proto specification,
so ftpd developers seem to have done on random flight: some of them, who
considered this as a security problem, performed such checks, while the
other didn't.
-
To unsubscribe from this list: send the line "unsubscribe linux-net" in
the body of a message to [EMAIL PROTECTED]
