IIS 6.0 FTP PASV issue

danruehle

2004-07-29 20:05:42

It seems that IIS 6.0 FTP requires a connection to a PASV port before a transfer command is issued now. I found this out via this post:

>When we try to use PASV mode with FTP (IIS 6.0) we get a "25 Can't open data



>connection."  Here is what our cilent does (after it successfully logs in):



>



>c - PASV



>s - 227 Entering Passive Mode (192,168,xxx,xxx,13,196).



>c - STOR foo.doc



>



>It is after the STOR that the client actually opens up the connection to



>port via 13,196 (skipping the # conversion here).  THIS WORKS FINE USING



>SEVERAL OTHER FTP SERVERS.  If we open the 13,196 port BEFORE the STOR, IIS



>6.0 FTP works fine.  So, it appears that IIS won't let us send any commands



>like STOR until we actually connect to the port 13,196.  If we modify the



>client code to first connect, then send the STOR command, everything is



>fine.  Other servers let us open the PASV port either before or after the



>STOR command.







Yes, but this is a security problem.  The client should ensure that the 



connection has been successfully established _before_ sending any transfer 



command.  Otherwise, you're setting yourself up for a port hijacking attack.







If I had my way, I'd make sure that my FTP server also refused any such 



transfer commands.  Unfortunately, too many clients are reckless, like 



yours, and are written by people who aren't concerned about protecting their 



users against port hijack.  So, to support some of the more "popular" FTP 



clients, I have to make this concession.







>My question is 1) is this really how FTP IIs 6.0 works, and 2) I can't find



>anything in the RFC that states when the client can or cannot decide to open



>up the port connection (before or after the STOR command); what's the



>standard?







The RFC doesn't specify what order to do it in.  However, it is simply 



common sense that you should confirm that the initial connection is 



successful before you send any transfer commands.  To do otherwise is to 



perform in a non-robust manner.







>Is IIS 6.0 FTP broken or is it left up to the server on how to handle when



>it will or will not accept the PASV connection??







Maybe IIS 6.0 is trying to prevent port hijacking attacks?







>This is all running on the same box...not firewalls, NATs, etc involved;



>everything works fine with other FTP servers or when we always connect to



>the PASV port before sending the STOR command.







So... always connect to the PASV port before sending the STOR command!

This doesn't stop me from connecting, but it does stop any transfers I try to do with IIS 6.0 FTP on my Windows 2003 server using PASV mode. Is this something that anyone else has run into? Can something be done about this? I don't want to have to go back to using Internet Explorer for FTP!

Thanks,
Dan Ruehle

mb

2004-08-16 12:35:20

Hello ..

There are no problems with SmartFTP and IIS 6.0 that we are aware of.

Regards,
-Mat