classification
Title: ftplib use host from PASV response
Type: security Stage:
Components: Library (Lib) Versions: Python 3.9
process
Status: open Resolution:
Dependencies: Superseder:
Assigned To: Nosy List: giampaolo.rodola, ricexdream
Priority: normal Keywords:

Created on 2021-02-21 11:49 by ricexdream, last changed 2021-02-21 15:36 by shihai1991.

Messages (1)
msg387455 - (view) Author: confd0 (ricexdream) Date: 2021-02-21 11:49
Last year, curl had a security update for CVE-2020-8284. more info, see https://hackerone.com/reports/1040166

The problem is ftp client trust the host from PASV response by default, A malicious server can trick ftp client into connecting
back to a given IP address and port. This may make ftp client scan ports and extract service banner from private newwork.

After test and read ftplib module(https://github.com/python/cpython/blob/63298930fb531ba2bb4f23bc3b915dbf1e17e9e1/Lib/ftplib.py#L346), I found ftplib has the same problem.
History
Date User Action Args
2021-02-21 15:36:22shihai1991setnosy: + giampaolo.rodola
2021-02-21 11:49:34ricexdreamcreate