Jump to content


Photo

IIS 6.0 FTP PASV issue


This topic has been archived. This means that you cannot reply to this topic.
1 reply to this topic

#1 danruehle

danruehle
  • Members
  • 1 posts

Posted 29 July 2004 - 08:05 PM

It seems that IIS 6.0 FTP requires a connection to a PASV port before a transfer command is issued now. I found this out via this post:

>When we try to use PASV mode with FTP (IIS 6.0) we get a "25 Can't open data

>connection."  Here is what our cilent does (after it successfully logs in):

>

>c - PASV

>s - 227 Entering Passive Mode (192,168,xxx,xxx,13,196).

>c - STOR foo.doc

>

>It is after the STOR that the client actually opens up the connection to

>port via 13,196 (skipping the # conversion here).  THIS WORKS FINE USING

>SEVERAL OTHER FTP SERVERS.  If we open the 13,196 port BEFORE the STOR, IIS

>6.0 FTP works fine.  So, it appears that IIS won't let us send any commands

>like STOR until we actually connect to the port 13,196.  If we modify the

>client code to first connect, then send the STOR command, everything is

>fine.  Other servers let us open the PASV port either before or after the

>STOR command.



Yes, but this is a security problem.  The client should ensure that the 

connection has been successfully established _before_ sending any transfer 

command.  Otherwise, you're setting yourself up for a port hijacking attack.



If I had my way, I'd make sure that my FTP server also refused any such 

transfer commands.  Unfortunately, too many clients are reckless, like 

yours, and are written by people who aren't concerned about protecting their 

users against port hijack.  So, to support some of the more "popular" FTP 

clients, I have to make this concession.



>My question is 1) is this really how FTP IIs 6.0 works, and 2) I can't find

>anything in the RFC that states when the client can or cannot decide to open

>up the port connection (before or after the STOR command); what's the

>standard?



The RFC doesn't specify what order to do it in.  However, it is simply 

common sense that you should confirm that the initial connection is 

successful before you send any transfer commands.  To do otherwise is to 

perform in a non-robust manner.



>Is IIS 6.0 FTP broken or is it left up to the server on how to handle when

>it will or will not accept the PASV connection??



Maybe IIS 6.0 is trying to prevent port hijacking attacks?



>This is all running on the same box...not firewalls, NATs, etc involved;

>everything works fine with other FTP servers or when we always connect to

>the PASV port before sending the STOR command.



So... always connect to the PASV port before sending the STOR command!

This doesn't stop me from connecting, but it does stop any transfers I try to do with IIS 6.0 FTP on my Windows 2003 server using PASV mode. Is this something that anyone else has run into? Can something be done about this? I don't want to have to go back to using Internet Explorer for FTP!

Thanks,
Dan Ruehle

#2 mb

mb

    Developer

  • Administrators
  • 11521 posts

Posted 16 August 2004 - 12:35 PM

Hello ..

There are no problems with SmartFTP and IIS 6.0 that we are aware of.

Regards,
-Mat