Jump to content


Photo

FXP Security Issues


This topic has been archived. This means that you cannot reply to this topic.
3 replies to this topic

#1 GettinSmart

GettinSmart
  • Members
  • 2 posts

Posted 09 March 2004 - 10:29 PM

My hosting company runs PROFTPD software, which will support foreign connections. However, they have it disabled. The second level folks that I talked to seemed to be willing to consider enabling it, if I could demonstrate that there was not a big security issue. (The PROFTPD manual cites rfc2577 as the reason for the big security issue.)

The main problem seems to be a "bounce" attack.

Can anybody with SmartFTP write something definitive, that either illustrates that FXP does carry a substantial security opening, or why it does not?

Your assistance will be appreciated across the globe.

#2 mb

mb

    Developer

  • Administrators
  • 11521 posts

Posted 09 March 2004 - 10:32 PM

For premium support please post your license key (without signature) or buy one at
http://www.smartftp.com/buy.php

Thank you.
-Mat
SmartFTP.com

#3 mb

mb

    Developer

  • Administrators
  • 11521 posts

Posted 10 March 2004 - 12:54 PM

Hello ...

It's a security risk. But we cannot estimate the risk in your situation. It's up to your hosting company. You can check whether other big hosters have it enabled or not. It may be a good reference.

-Mat
SmartFTP.com

#4 GettinSmart

GettinSmart
  • Members
  • 2 posts

Posted 10 March 2004 - 05:26 PM

It seems to me that a bounce attack is
A) only a threat to the target of the attack, which is not the FTP platform from through which it is launched.
:) that rfc2577 is more concerned about anonymous FTP allowing 'hard to trace' bounce attacks.
C) therefore FXP is NOT a security threat to the host, and
D) therefore if only enabled when not anonymous, the complaint of being 'hard to trace' is moot.

but all this is just suppositions, because I don't really have a good FTP foundation.

Is there someone out there that can address this issue definitively?

Support staff, is it okay for others to cross post this question on non-SmartFTP sites, in an attempt to get a real answer - and maybe get FXP turned on at lots of sites. My host has over a million sites, and they don't have answers to these questions. How many hosts are in a similar spot - installing the default values on their FTP servers which leave FXP off for potentially moot reasons.

THANKS