[14321] in bugtraq
Re: Update: Extending the FTP "ALG" vulnerability to any FTP
daemon@ATHENA.MIT.EDU (Darren Reed)
Fri Mar 17 01:13:33 2000
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-Id: <200003151142.WAA03394@cairo.anu.edu.au>
Date: Wed, 15 Mar 2000 22:42:39 +1100
Reply-To: Darren Reed <avalon@COOMBS.ANU.EDU.AU>
From: Darren Reed <avalon@COOMBS.ANU.EDU.AU>
X-To: Mikael Olsson <mikael.olsson@enternet.se>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <38CF43AD.5670727E@enternet.se> from "Mikael Olsson" at Mar 15,
2000 09:02:53 AM
In some mail from Mikael Olsson, sie said:
> > > Workarounds to this specific vulnerability
> > > --------------------------------------------
> > >
> > > * Disable active FTP. Errrr, wait. The fix for the server side
> > > vulnerability was to disable passive FTP.
> >
> > Which specific vulnerability was this ?
> > And was it a vulnerability or a DoS problem ?
>
> It was the "Multiple firewalls FTP server "PASV" vulnerability"
> mentioned in my reference list. Basically does the same thing
> - letting people connect to any port - but on FTP servers
> instead. The official "fix" was "disable passive FTP". Well,
> since the "fix" for this is "disable active FTP".. ... :-)
Ah, right.
This is a different problem and can be fixed to remove the
vulnerability that exists. This particular problem exists
only because of people taking shortcuts to implement ftp
proxies by just looking at packets (personally, I'm one of
them and I hate it, and much prefer people to use ftp-gw).
So the upshot of this is with FW-1, you're screwed until you
get the relevant fixes in place for ftp. With any proxy
based solution, you should only allow passive FTP.
Darren
