My installation of Everything, Version 1.3.4.686 (x64), has been flagged by as being vulnerable to the FTP bounce exploit. It is classed as "Severe".
Has this been fixed in later versions?
FTP bounce vulnerability
Re: FTP bounce vulnerability
This is only an issue if you have the FTP server running, which is disabled by default.
It is more of a design flaw with the FTP protocol, than with Everything itself.
The issue affects all version of Everything.
If this issue concerns you, please keep your FTP server disabled:
https://en.wikipedia.org/wiki/FTP_bounce_attack
It is more of a design flaw with the FTP protocol, than with Everything itself.
The issue affects all version of Everything.
If this issue concerns you, please keep your FTP server disabled:
- In Everything, from the Tools menu, click Options.
- Click the ETP/FTP Server tab on the left.
- Uncheck Enable ETP/FTP Server.
- Click OK.
- Exit Everything (right click the Everything system tray icon and click Exit)
- Open your Everything.ini in the same location as your Everything.exe
- Change the following line:
allow_etp_server=1
to:
allow_etp_server=0 - Save changes and restart Everything.
https://en.wikipedia.org/wiki/FTP_bounce_attack
Re: FTP bounce vulnerability
Thanks.
I need to keep the FTP server running to answer requests from other users.
Will disabling the PORT command eliminate the vulnerability whilst allowing the FTP server to continue operating?
Or can it be configured to only allow other clients access to my server?
I need to keep the FTP server running to answer requests from other users.
Will disabling the PORT command eliminate the vulnerability whilst allowing the FTP server to continue operating?
Or can it be configured to only allow other clients access to my server?
Re: FTP bounce vulnerability
I've added the ini option ftp_check_data_connection_ip to Everything 892.
When enabled, Everything will only allow data connections that have the same host as the control connection.
This setting will be enabled by default and prevent the FTP bounce vulnerability.
I've also added the ini option ftp_allow_port to completely disable the port command.
When enabled, Everything will only allow data connections that have the same host as the control connection.
This setting will be enabled by default and prevent the FTP bounce vulnerability.
I've also added the ini option ftp_allow_port to completely disable the port command.
Yes, ftp_allow_port (when set to 0) and ftp_check_data_connection_ip (when set to nonzero) options will both prevent the FTP bounce vulnerability.Will disabling the PORT command eliminate the vulnerability whilst allowing the FTP server to continue operating?
There is no per client control, it will either be on or off. The clients will most likely use the same data connection host as the control connection host, so this shouldn't effect any existing clients. If a client does want to specify a different data connection host you will need to disable the ftp_check_data_connection_ip ini setting.Or can it be configured to only allow other clients access to my server?