[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: scurity issue in inetutils ftp client

From: Simon Josefsson
Subject: Re: scurity issue in inetutils ftp client
Date: Tue, 20 Jul 2021 09:26:05 +0200
User-agent: Gnus/5.13 (Gnus v5.13) Emacs/27.1 (gnu/linux)

ZeddYu Lu <zeddyu.lu@gmail.com> writes:

> Last year, curl had a security update for CVE-2020-8284. more info, see
> https://hackerone.com/reports/1040166
> The problem is ftp client trust the host from PASV response by default, A
> malicious server can trick ftp client into connecting back to a given IP
> address and port. This may make ftp client scan ports and extract service
> banner from private newwork.

Thank you for the report!  Indeed this seems real, and a quite old bug.
The solution by others (to just ignore the IP address sent by the
server, and use the one provided by the local user instead) is good.

This is an ancient tool that may be used to connect to ancient servers
that for some reason could behave like this.  I think it would be nice
to offer the old behaviour as an option, like curl did.  I have looked
around to see how other command-line ftp clients patched this bug, but
cannot find any good patterns.  Are you aware of any patches to similar
old ftp clients like ours?  As far as I can tell, NetKit-ftp isn't
patched against this bug.


Attachment: signature.asc
Description: PGP signature

reply via email to

[Prev in Thread] Current Thread [Next in Thread]