On Wed, Nov 03, 1999 at 10:46:26AM -0500, Greg Stark wrote:
> > There is a good reason some servers (like the one i have written) do not
> > allow server-server transfers. if it did allow the user to tell the
> > server to connect to any ip, you could attack any server/port on the
> > network with abibrary data using the resources of the ftp server to do
> > so. By only allowing the server to connect to the IP the control
> > connection comes from, possible damage is limited.
>
> Only if you're allowed to log in to the server in the first place. It
> certainly doesn't make sense for non-passive anonymous FTP but that's not
> the only use for FTP.
Consider this: you could cause an FTP server to connect to port 25 on a
remote server, uploading something that looks like SMTP commands. This is a
fun way to send (virtually) untraceable e-mail. I've done this between a
few of my own computers, and it works wonderfully, especially with badly
configured FTP daemons that don't log every get/put command.
This is why some FTP servers now limit based on port number, too. However,
creative people will find ports >1024 that would benefit from untraceable
messages.
IMHO, server to third-party FTP transfers are basically silly (and trying to
do things like this causes no end of confusion to firewall administrators).
Why not just install an FTP client on the second computer??
Have fun,
Avery
-
To unsubscribe from this list: send the line "unsubscribe linux-net" in
the body of a message to [EMAIL PROTECTED]
