Re: [Bug-wget] FTP PORT command code in v1.16.3?

bug-wget

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Bug-wget] FTP PORT command code in v1.16.3?

From:	Tim Ruehsen
Subject:	Re: [Bug-wget] FTP PORT command code in v1.16.3?
Date:	Thu, 13 Aug 2015 10:11 +0200
User-agent:	KMail/4.14.2 (Linux/4.1.0-1-amd64; KDE/4.14.2; x86_64; ; )

On Thursday 13 August 2015 02:47:19 address@hidden wrote:
> > On Monday 10 August 2015 16:37:35 address@hidden wrote:
> >> In the past it could be possible for a site over http connection to
> >> redirect wget to FPT using FTP PORT command so the site gets the real IP
> >> of the computer even when wget proxy command is in use I believe:
> >> https://lists.torproject.org/pipermail/tor-talk/2012-April/024040.html
> >> 
> >> Is that code still present in wget v1.16.3? It was present in v1.13.4.
> > 
> > By default Wget is using passive FTP. This avoids PORT (resp. EPRT and
> > LPRT).
> > 
> > But your system administrator could change the default behavior via
> > /etc/wgetrc and/or you could change it in ~/.wgetrc.
> > 
> > You can prove Wget's behavior with the -d command line option.
> > E.g. 'wget -d ftp://ftp.example.com/xyz' (fill a real FTP server here)
> > A PORT command would be printed to the screen.
> > 
> > *BUT* if the server reject the PASV command, Wget automatically falls back
> > to
> > PORT. This is a security thread to people who try to stay anonymous, the
> > real
> > client's IP will be shown to the FTP server.
> > I guess this is the what you are talking about !?
> 
> Yes I believe. The way I understood the issue is if I used wget to
> download a file from a website like '$wget --proxy
> --execute=http_proxy=http://127.0.0.1:8118/ -c
> http://somesite.com/somefile.txt' the site could send FTP PORT command to
> redirect wget to ftp protocol, and then get the computer's IP even though
> I used the http proxy option.

Well somesite.com could redirect you to an FTP site.
If the FTP site rejects the PASV command, Wget will send a PORT command 
including the client's IP address. This is fixed now. 

But to be 100% sure, you should add --passive-ftp to your command line.
If you don't do that, your /etc/wgetrc or ~/.wgetrc could include --no-
passive-ftp (or passiveftp = off). That switches passive FTP off and makes 
Wget sending a PORT command (+ IP address) to the FTP server (sometimes you 
need this, if the server does not support passive FTP).

Tim

signature.asc
Description: This is a digitally signed message part.

[Prev in Thread]

Current Thread

[Next in Thread]

[Bug-wget] FTP PORT command code in v1.16.3?, tomtidaly, 2015/08/10
- Re: [Bug-wget] FTP PORT command code in v1.16.3?, Tim Ruehsen, 2015/08/11
  - Re: [Bug-wget] FTP PORT command code in v1.16.3?, Tim Ruehsen, 2015/08/11
    - Re: [Bug-wget] FTP PORT command code in v1.16.3?, Giuseppe Scrivano, 2015/08/11
    - Re: [Bug-wget] FTP PORT command code in v1.16.3?, Tim Ruehsen, 2015/08/11
    - Re: [Bug-wget] FTP PORT command code in v1.16.3?, Giuseppe Scrivano, 2015/08/11
  - Re: [Bug-wget] FTP PORT command code in v1.16.3?, tomtidaly, 2015/08/12
    - Re: [Bug-wget] FTP PORT command code in v1.16.3?, Tim Ruehsen <=

Prev by Date: [Bug-wget] [bug #43799] wget should implement OCSP + OCSP stapling
Next by Date: Re: [Bug-wget] bad filenames (again)
Previous by thread: Re: [Bug-wget] FTP PORT command code in v1.16.3?
Next by thread: [Bug-wget] Eternallybored Windows binary Wget safe?
Index(es):
- Date
- Thread