Re: ANN: FTP Commander (the ftp browser Frank asked for...)
Frank- Wednesday, September 8, 2004, 7:24:36 AM, you wrote: FDEJ This can be a useful feature, though. You can directly transfer files FDEJ from one server to another by setting one to active and the other to FDEJ passive mode, and taking the port number and IP address of one and I don't think so, unless you're talking about spoofing the IP headers at the packet level. In ftp passive mode the server opens a random port within an assigned range for transactions with the client. Even if you managed to pick off that port and pass it to a second server, the second one would have to start the handshaking protocol all over again and a new random port would be opened on the server. -- -Mark Wieder [EMAIL PROTECTED] ___ use-revolution mailing list [EMAIL PROTECTED] http://lists.runrev.com/mailman/listinfo/use-revolution
Re: ANN: FTP Commander (the ftp browser Frank asked for...)
Not true. You simply wait for the port number to be handed to you by the passive mode server, then tell the active mode server to connect to that port number, with the server's IP address (which the server also gives you as part of the transaction process). The passive mode server provides an IP address and port number to which a connection should be made. The active mode server requests one. Just give the active mode server the information obtained from the passive mode server. I don't think so, unless you're talking about spoofing the IP headers at the packet level. In ftp passive mode the server opens a random port within an assigned range for transactions with the client. Even if you managed to pick off that port and pass it to a second server, the second one would have to start the handshaking protocol all over again and a new random port would be opened on the server. ___ $0 Web Hosting with up to 120MB web space, 1000 MB Transfer 10 Personalized POP and Web E-mail Accounts, and much more. Signup at www.doteasy.com ___ use-revolution mailing list [EMAIL PROTECTED] http://lists.runrev.com/mailman/listinfo/use-revolution
Re: ANN: FTP Commander (the ftp browser Frank asked for...)
Frank- Wednesday, September 8, 2004, 9:55:53 AM, you wrote: I stand corrected. You're quite right - the server's job is just to send out an IP address and port number. From there on it's easy to hijack the connection if it's allowed by the server software. -- -Mark Wieder [EMAIL PROTECTED] ___ use-revolution mailing list [EMAIL PROTECTED] http://lists.runrev.com/mailman/listinfo/use-revolution
Re: ANN: FTP Commander (the ftp browser Frank asked for...)
On Sep 7, 2004, at 6:58 PM, Alejandro Tejada wrote: Hi Andre! You really have the talent to boldly code what no programmer has published before. (from the Star Trek motto ;-) Andre, I have some questions about FTP, now that you are on it: Hi Alejandro, thanks for the cumpliments! I am a fan of Star Trek also :D I'll answer your questions below! How reliable and safe is FTP protocol? Could it support resume on partial uploads or downloads. The protocol is pretty dumb. It can support resume and partial uploads, it's pretty easy, I coded a FTP server in transcript and it does support resuming a transfer. The protocol is not safe, let me explain why. First the client opens a connection to the server, this connection is called the control connection, thru this connection client will ensure it's commands and receive responses, all communication will go thru this connections except listing files and transfering files. When you want to list files or transfer files, you'll need a data connection, meaning, depending on your use of active FTP or passive FTP, the client or the server will open another socket and wait for a connection, when this new connection is established, it will send the file list, or the file. Danger, if you're using passive connections, and you ask for a file and other client connects to that data control port before you do, he will receive your file. Using active FTP the reverse situation can happen, another client can connect to your data control port before you and upload a file saying it's your upload. The only thing that prevent this from happening everyday is that data ports are dynamic, they are not fixed, for example my own FTPd server will start it's data port in the 8059 for the first client and goes incrementing this for the next ones, so anyone trying to find a open control port to connect will need to sniff all my ports to find a open one. The point is, when you ask for a data port, yserver answers what is the port and you connect immediatly so the time window for someone to connect is pretty small, but if it happens, theres nothing you can do to prevent the file theft or the upload hijack. See, the security is there only because the client is faster to connect than the hacker is fast to scan all your ports... I would not trust national security files to FTP, I would encrypt them so that user must decrypt after download. Could anyone (intentionaly) sniff the password used to connect to a ftp server? I don't think so. Unless someone launch a bogus server and force a user to log in. What additional features does RunRev requires to implement the Secure FTP protocol? I don't know about SFTP but I think if they expose the SSL functions for encription then we can build the protocol, and that should be safe for data flowing from server to client will be encrypted, anyone hijacking the data port will not be able to decipher it. Could i select an encripted file to get the users name and password from it and connect to a ftp server to upload files? yes, you control the connection from the Rev side, you're free to send your own login/pass info and to send the commands. Cheers Andre (In this way the user do not have to write their user name and password on the machine. Sometimes I had wished that all login screen provided an option to get the user id and password directly from a file in cd rom or floppy) Thanks a lot Andre, Keep up your good work! al = Visit my site: http://www.geocities.com/capellan2000/ __ Do you Yahoo!? Yahoo! Mail - Helps protect you from nasty viruses. http://promotions.yahoo.com/new_mail ___ use-revolution mailing list [EMAIL PROTECTED] http://lists.runrev.com/mailman/listinfo/use-revolution -- Andre Alves Garzia 2004 BRAZIL http://studio.soapdog.org ___ use-revolution mailing list [EMAIL PROTECTED] http://lists.runrev.com/mailman/listinfo/use-revolution
Re: ANN: FTP Commander (the ftp browser Frank asked for...)
At 19:20 07/09/2004 -0300, Andre Garzia wrote: On Sep 7, 2004, at 6:58 PM, Alejandro Tejada wrote: Could anyone (intentionaly) sniff the password used to connect to a ftp server? I don't think so. Unless someone launch a bogus server and force a user to log in. Yes, they can sniff passwords. Standard FTP (rfc959) sends passwords in cleartext, so anyone with physical access to the network, and suitable packet-capture hardware can easily sniff the password. See rfc 2577 for various other things that will scare you about using ftp :-) -- Alex. ___ use-revolution mailing list [EMAIL PROTECTED] http://lists.runrev.com/mailman/listinfo/use-revolution
Re: ANN: FTP Commander (the ftp browser Frank asked for...)
On Sep 7, 2004, at 7:58 PM, Alex Tweedly wrote: Yes, they can sniff passwords. Standard FTP (rfc959) sends passwords in cleartext, so anyone with physical access to the network, and suitable packet-capture hardware can easily sniff the password. See rfc 2577 for various other things that will scare you about using ftp :-) -- Alex. I never researched packet capture and those security auditing tools... the thing that scares me most is the fact that when in passive mode, the server will start listening in a data port and accepts any connection without checking if the data port client is the same one in the control port, and it will send the file to that client, file theft is just a matter of being there in the right time... very scary... andre -- Andre Alves Garzia 2004 BRAZIL http://studio.soapdog.org ___ use-revolution mailing list [EMAIL PROTECTED] http://lists.runrev.com/mailman/listinfo/use-revolution
Re: ANN: FTP Commander (the ftp browser Frank asked for...)
Andre- Tuesday, September 7, 2004, 4:48:52 PM, you wrote: AG I never researched packet capture and those security auditing AG tools... the thing that scares me most is the fact that when in passive AG mode, the server will start listening in a data port and accepts any AG connection without checking if the data port client is the same one in AG the control port, and it will send the file to that client, file theft AG is just a matter of being there in the right time... very scary... Yes - I don't use passive mode unless I'm absolutely forced to by a server environment. You might look into the SFTP protocol to see how ftp is handled using SSH as a tunneling mechanism. From my brief glance at it the handshaking doesn't look too bad and all the dirty work is handled by the ssh tunnel. Packet sniffing is just way too easy. -- -Mark Wieder [EMAIL PROTECTED] ___ use-revolution mailing list [EMAIL PROTECTED] http://lists.runrev.com/mailman/listinfo/use-revolution
Re: ANN: FTP Commander (the ftp browser Frank asked for...)
Well I'll be a son of a gun... Andre...I'll let you know how it goes. Thanks! -- Frnak Web Photos Pro: Software for Photo Bloggers and Other Photo Power Users See us on the web at http://www.webphotospro.com/ On Sep 6, 2004, at 10:10 PM, [EMAIL PROTECTED] wrote: From: Andre Garzia [EMAIL PROTECTED] Subject: ANN: FTP Commander (the ftp browser Frank asked for...) To: How to use Revolution [EMAIL PROTECTED] Message-ID: [EMAIL PROTECTED] Content-Type: text/plain; charset=MACINTOSH; format=flowed FTP Commander By Andre Alves Garzia 2004 Motivated by a email from Frank Leahy, I decided to see how fast I could make a FTP client for the masses. The result is 5 hours. At 1:17 I received the email, at 6:09 I am writing this email. Conclusion Revolution Rulz! I was inspired by old XTree Gold, on the left side is local, on right side is Server side. You can type the full path in the field or press browse. You must type in the full FTP URL (including user and pass) on the field. Pressing refresh will refresh the list. Top listbox on each side is folder list, botton listbox is file list. You can select multiple files. Operations will work on multiple files. Theres a libURL log field below. So far I tested all the operations. You can upload, download, traverse, rename one or multiple files. you go tagging the files, and press the desired operation button. It works, I think I'll market this one soon... so far so good, two apps in one day... pretty good. http://www.soapdog.org/rev/FTPCommander.rev Happy FTP!!! Andre ___ use-revolution mailing list [EMAIL PROTECTED] http://lists.runrev.com/mailman/listinfo/use-revolution
Re: ANN: FTP Commander (the ftp browser Frank asked for...)
Frank, don't forget the ending slash in the FTP URL like: ftp://myUser:[EMAIL PROTECTED]/mySweetFolder/ let me know if this works for you!!! :D Cheers andre On Sep 6, 2004, at 6:27 PM, Frank Leahy wrote: Well I'll be a son of a gun... Andre...I'll let you know how it goes. Thanks! -- Frnak Web Photos Pro: Software for Photo Bloggers and Other Photo Power Users See us on the web at http://www.webphotospro.com/ On Sep 6, 2004, at 10:10 PM, [EMAIL PROTECTED] wrote: From: Andre Garzia [EMAIL PROTECTED] Subject: ANN: FTP Commander (the ftp browser Frank asked for...) To: How to use Revolution [EMAIL PROTECTED] Message-ID: [EMAIL PROTECTED] Content-Type: text/plain; charset=MACINTOSH; format=flowed FTP Commander By Andre Alves Garzia 2004 Motivated by a email from Frank Leahy, I decided to see how fast I could make a FTP client for the masses. The result is 5 hours. At 1:17 I received the email, at 6:09 I am writing this email. Conclusion Revolution Rulz! I was inspired by old XTree Gold, on the left side is local, on right side is Server side. You can type the full path in the field or press browse. You must type in the full FTP URL (including user and pass) on the field. Pressing refresh will refresh the list. Top listbox on each side is folder list, botton listbox is file list. You can select multiple files. Operations will work on multiple files. Theres a libURL log field below. So far I tested all the operations. You can upload, download, traverse, rename one or multiple files. you go tagging the files, and press the desired operation button. It works, I think I'll market this one soon... so far so good, two apps in one day... pretty good. http://www.soapdog.org/rev/FTPCommander.rev Happy FTP!!! Andre ___ use-revolution mailing list [EMAIL PROTECTED] http://lists.runrev.com/mailman/listinfo/use-revolution -- Andre Alves Garzia 2004 BRAZIL http://studio.soapdog.org ___ use-revolution mailing list [EMAIL PROTECTED] http://lists.runrev.com/mailman/listinfo/use-revolution
Re: ANN: FTP Commander (the ftp browser Frank asked for...)
On Monday, September 6, 2004, at 02:31 PM, Andre Garzia wrote: don't forget the ending slash in the FTP URL like: ftp://myUser:[EMAIL PROTECTED]/mySweetFolder/ let me know if this works for you!!! :D Cheers andre Works great. Now I get it. In just a few guesses I got the correct configuration of the URL with my proper connection information and I was in. Now a double click on folder names to append the folder name to the current URL in combination with a mouseUp simulation or refreshftpfilelist and you have effectively replaced my old fetch program running Mac 9.2 on my MacOSX. Now I'll test it to see if I can upload. What about as text or as raw binary data? COOL ! Mark ___ use-revolution mailing list [EMAIL PROTECTED] http://lists.runrev.com/mailman/listinfo/use-revolution
Re: ANN: FTP Commander (the ftp browser Frank asked for...)
On 9/6/04 4:31 PM, Andre Garzia [EMAIL PROTECTED] wrote: Frank, don't forget the ending slash in the FTP URL like: ftp://myUser:[EMAIL PROTECTED]/mySweetFolder/ let me know if this works for you!!! :D Cheers andre That's awesome, Andre! Thanks! Ken Ray Sons of Thunder Software Web site: http://www.sonsothunder.com/ Email: [EMAIL PROTECTED] ___ use-revolution mailing list [EMAIL PROTECTED] http://lists.runrev.com/mailman/listinfo/use-revolution
Re: ANN: FTP Commander (the ftp browser Frank asked for...)
On Monday, September 6, 2004, at 02:31 PM, Andre Garzia wrote: don't forget the ending slash in the FTP URL like: ftp://myUser:[EMAIL PROTECTED]/mySweetFolder/ let me know if this works for you!!! :D Cheers andre Almost everything works for me. I had to comment out the -- delete last char of tFilename in the download button, otherwise it was chopping the last char of the actual filename. My local system is running Rev 2.2 on Win2k. The FTP site was an SGI Octane running Irix 6.4. The directory listing works fine, but it will not download a file to my local desktop. The log info says the transfer completed. 150 Opening BINARY mode data connection for /shared_files/ting.wav' (5886 bytes). CLOSED 192.15.32.01:1072|6939 226 Transfer complete. Still it's very impressive for 5 hours of work! Roger Eller [EMAIL PROTECTED] ___ use-revolution mailing list [EMAIL PROTECTED] http://lists.runrev.com/mailman/listinfo/use-revolution