New submission from RiceX Star <ricexdr...@gmail.com>:
Last year, curl had a security update for CVE-2020-8284. more info, see https://hackerone.com/reports/1040166 The problem is ftp client trust the host from PASV response by default, A malicious server can trick ftp client into connecting back to a given IP address and port. This may make ftp client scan ports and extract service banner from private newwork. After test and read ftplib module(https://github.com/python/cpython/blob/63298930fb531ba2bb4f23bc3b915dbf1e17e9e1/Lib/ftplib.py#L346), I found ftplib has the same problem. ---------- components: Library (Lib) messages: 387455 nosy: ricexdream priority: normal severity: normal status: open title: ftplib use host from PASV response type: security versions: Python 3.9 _______________________________________ Python tracker <rep...@bugs.python.org> <https://bugs.python.org/issue43285> _______________________________________ _______________________________________________ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
