[New-bugs-announce] [issue43285] ftplib use host from PASV response
RiceX Star
report at bugs.python.org
Sun Feb 21 06:49:34 EST 2021
New submission from RiceX Star <ricexdream at gmail.com>:
Last year, curl had a security update for CVE-2020-8284. more info, see https://hackerone.com/reports/1040166
The problem is ftp client trust the host from PASV response by default, A malicious server can trick ftp client into connecting
back to a given IP address and port. This may make ftp client scan ports and extract service banner from private newwork.
After test and read ftplib module(https://github.com/python/cpython/blob/63298930fb531ba2bb4f23bc3b915dbf1e17e9e1/Lib/ftplib.py#L346), I found ftplib has the same problem.
----------
components: Library (Lib)
messages: 387455
nosy: ricexdream
priority: normal
severity: normal
status: open
title: ftplib use host from PASV response
type: security
versions: Python 3.9
_______________________________________
Python tracker <report at bugs.python.org>
<https://bugs.python.org/issue43285>
_______________________________________
More information about the New-bugs-announce
mailing list