[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Bug-wget] FTP PORT command code in v1.16.3?
|
From: |
Tim Ruehsen |
|
Subject: |
Re: [Bug-wget] FTP PORT command code in v1.16.3? |
|
Date: |
Tue, 11 Aug 2015 17:06:27 +0200 |
|
User-agent: |
KMail/4.14.2 (Linux/4.1.0-1-amd64; KDE/4.14.2; x86_64; ; ) |
On Tuesday 11 August 2015 15:30:37 Tim Ruehsen wrote:
> On Monday 10 August 2015 16:37:35 address@hidden wrote:
> > In the past it could be possible for a site over http connection to
> > redirect wget to FPT using FTP PORT command so the site gets the real IP
> > of the computer even when wget proxy command is in use I believe:
> > https://lists.torproject.org/pipermail/tor-talk/2012-April/024040.html
> >
> > Is that code still present in wget v1.16.3? It was present in v1.13.4.
>
> By default Wget is using passive FTP. This avoids PORT (resp. EPRT and
> LPRT).
>
> But your system administrator could change the default behavior via
> /etc/wgetrc and/or you could change it in ~/.wgetrc.
>
> You can prove Wget's behavior with the -d command line option.
> E.g. 'wget -d ftp://ftp.example.com/xyz' (fill a real FTP server here)
> A PORT command would be printed to the screen.
>
> *BUT* if the server reject the PASV command, Wget automatically falls back
> to PORT. This is a security thread to people who try to stay anonymous, the
> real client's IP will be shown to the FTP server.
> I guess this is the what you are talking about !?
>
> Anyways, this behavior has to be changed.
>
> Thanks for throwing this up.
>
> Tim
Here is a patch for review.
If nobody complains, I'll push it soon.
Tim
0001-Fix-IP-address-exposure-in-FTP-code.patch
Description: Text Data
signature.asc
Description: This is a digitally signed message part.