1 result found
An error occurred while saving the commentDaniel Wells commented
It appears that by not having this option, we may be opening up our server to potential attacks.
This issue is old now, but I believe this should be escalated as a vulnerability, rather than a "feature request" based on popular vote.
"Not requiring session resumption allows session stealing attacks. The problem with FTP is that the data connection does not authenticate the client: Imagine you a want to upload a new version of your website. To initiate the transfer your client sends the PASV command followed by the STOR command. The server opens a port and waits for the client to connect to it and upload the file. Now an attacker comes along and figures out the port the server listens on. He connects to the port before you can and uploads a piece of malware to your website."