Bugtraq: Re: ftpd: the advisory version

Nmap Security Scanner

Intro

Ref Guide

Install Guide

Download

Changelog

Book

Docs
Security Lists

Bugtraq

Basics

More
Security Tools

More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

Bugtraq mailing list archives

Re: ftpd: the advisory version

From: djb () CR YP TO (D. J. Bernstein)
Date: Sat, 1 Jul 2000 14:23:27 -0000


Clients should not---and, as far as I know, do not---check the source
TCP port for active connections from the server. See

   http://cr.yp.to/ftp/security.html

for further comments on FTP protocol security issues.

Please note that publicfile isn't just for sites where ``all you need is
anonymous FTP.'' You can run publicfile as your anonymous FTP server,
and run a non-anonymous FTP server on another port or IP address. (Many
of wuftpd's security holes have required the attacker to log in first.)

Similarly, you can use publicfile for static HTTP files, and another
server for dynamic HTTP files.

---Dan

By Date By Thread

Current thread:

Infosec.20000712.worldclient.2.1, (continued)
- Re: ftpd: the advisory version Taneli Huuskonen (Jul 01)
- Re: ftpd: the advisory version D. J. Bernstein (Jul 01)
- Re: ftpd: the advisory version Ron DuFresne (Jul 03)
- Re: ftpd: the advisory version Steven M. Bellovin (Jul 05)