Skip to content

Daniel Wells

My feedback

1 result found

  1. 30 votes
    Vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
    You have left! (?) (thinking…)
    How important is this to you?

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
    An error occurred while saving the comment
    Daniel Wells commented  · 

    For reference...
    https://forum.filezilla-project.org/viewtopic.php?t=36903
    It appears that by not having this option, we may be opening up our server to potential attacks.
    This issue is old now, but I believe this should be escalated as a vulnerability, rather than a "feature request" based on popular vote.

    "Not requiring session resumption allows session stealing attacks. The problem with FTP is that the data connection does not authenticate the client: Imagine you a want to upload a new version of your website. To initiate the transfer your client sends the PASV command followed by the STOR command. The server opens a port and waits for the client to connect to it and upload the file. Now an attacker comes along and figures out the port the server listens on. He connects to the port before you can and uploads a piece of malware to your website."

Feedback and Knowledge Base