On Wed, 3 Nov 1999, Greg Stark wrote:
>
> > FTP servers and clients should verify that the one who connects is the one
> > who said he would. This is easily done based on the IP address (although
> > IPmasq hosts make things a bit weirder). I've often wondered if they
> > actually did check this, but I've never actually looked.
>
> They certainly should not, this would defeat an intentional and very useful
> feature of ftp - the ability to transfer files between two other machines
> without going via the client. Unfortunately some do.
>
> In any case authentication by ip address would still leave you open to attacks
> from machines on the local network.
There is a good reason some servers (like the one i have written) do not
allow server-server transfers. if it did allow the user to tell the
server to connect to any ip, you could attack any server/port on the
network with abibrary data using the resources of the ftp server to do
so. By only allowing the server to connect to the IP the control
connection comes from, possible damage is limited.
BTW, nobody uses server to server transfers AFAIK.
Beau Kuiper
[EMAIL PROTECTED]
>
> --
> greg
>
> -
> To unsubscribe from this list: send the line "unsubscribe linux-net" in
> the body of a message to [EMAIL PROTECTED]
>
-
To unsubscribe from this list: send the line "unsubscribe linux-net" in
the body of a message to [EMAIL PROTECTED]
