[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Bug-wget] FTP PORT command code in v1.16.3?

From: Tim Ruehsen
Subject: Re: [Bug-wget] FTP PORT command code in v1.16.3?
Date: Tue, 11 Aug 2015 15:30:37 +0200
User-agent: KMail/4.14.2 (Linux/4.1.0-1-amd64; KDE/4.14.2; x86_64; ; )

On Monday 10 August 2015 16:37:35 address@hidden wrote:
> In the past it could be possible for a site over http connection to
> redirect wget to FPT using FTP PORT command so the site gets the real IP
> of the computer even when wget proxy command is in use I believe:
> https://lists.torproject.org/pipermail/tor-talk/2012-April/024040.html
> Is that code still present in wget v1.16.3? It was present in v1.13.4.

By default Wget is using passive FTP. This avoids PORT (resp. EPRT and LPRT).

But your system administrator could change the default behavior via 
/etc/wgetrc and/or you could change it in ~/.wgetrc.

You can prove Wget's behavior with the -d command line option.
E.g. 'wget -d ftp://ftp.example.com/xyz' (fill a real FTP server here)
A PORT command would be printed to the screen.

*BUT* if the server reject the PASV command, Wget automatically falls back to 
PORT. This is a security thread to people who try to stay anonymous, the real 
client's IP will be shown to the FTP server.
I guess this is the what you are talking about !?

Anyways, this behavior has to be changed.

Thanks for throwing this up.


Attachment: signature.asc
Description: This is a digitally signed message part.

reply via email to

[Prev in Thread] Current Thread [Next in Thread]