[15652] in bugtraq
Re: ftpd: the advisory version
daemon@ATHENA.MIT.EDU (monti)
Thu Jul 6 13:19:11 2000
Mime-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-Id: <Pine.BSF.3.96.1000705150424.16067K-100000@mournblade>
Date: Wed, 5 Jul 2000 15:16:38 -0500
Reply-To: monti <monti@USHOST.COM>
From: monti <monti@USHOST.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <14685.13760.456523.321265@taltos.tla.org>
On Fri, 30 Jun 2000, Carson Gaspar wrote:
> >> I.e. publicfile is able to drop root privs because it stops using port 20
> >> when creating data connections in response to a PORT command. It's
> >> against the spec but works with most clients.
>
> Mike> Against spec, it may be, but in my opinion, it makes more sense.
>
> FYI, it violates a SHOULD, it doesn't violate a MUST, so it is officially in
> spec.
Regardless of whether it is in or out of spec, IMO it is a terribly bad
idea. Netware's FTP server is a good example of what goes wrong in with
this in practice. Either unintentionally or for whatever reason, they
neglect to follow the src port 20 convention, and it has disastrous
effects in relation to firewalls and IP-redirectors. Aside from the
serious security complexities involved with actually *allowing*
other than src-20 active data connections through a firewall, many
"man-in-the-middle" products have been hard-coded to work only with it.
As we saw with recent postings on bugtraq regarding Stateful inspection
and sometimes application proxy weaknesses in trying to open dynamic
ftp-data ports, even the current state is pretty bad. Loosening the
defacto standard even more will make it much much worse.
Just my opinion, but one based on alot of headache from past experience.
Eric Monti
monti@ushost.com
