Author ricexdream
Recipients ricexdream
Date 2021-02-21.11:49:34
SpamBayes Score -1.0
Marked as misclassified Yes
Message-id <1613908174.7.0.0578051462677.issue43285@roundup.psfhosted.org>
In-reply-to
Content
Last year, curl had a security update for CVE-2020-8284. more info, see https://hackerone.com/reports/1040166

The problem is ftp client trust the host from PASV response by default, A malicious server can trick ftp client into connecting
back to a given IP address and port. This may make ftp client scan ports and extract service banner from private newwork.

After test and read ftplib module(https://github.com/python/cpython/blob/63298930fb531ba2bb4f23bc3b915dbf1e17e9e1/Lib/ftplib.py#L346), I found ftplib has the same problem.
History
Date User Action Args
2021-02-21 11:49:34ricexdreamsetrecipients: + ricexdream
2021-02-21 11:49:34ricexdreamsetmessageid: <1613908174.7.0.0578051462677.issue43285@roundup.psfhosted.org>
2021-02-21 11:49:34ricexdreamlinkissue43285 messages
2021-02-21 11:49:34ricexdreamcreate