The IPv4 address value returned from the server in response to the PASV command should not be trusted. This prevents a malicious FTP server from using the response to probe IPv4 address and port combinations on the client network.
Instead of using the returned address, we use the IP address we’re already connected to. This is the strategy other ftp clients adopted, and matches the only strategy available for the modern IPv6 EPSV command where the server response must return a port number and nothing else.
Dates:
Disclosure date: 2021-02-21 (Python issue bpo-43285 reported)
Python 3.6.14 (2021-06-28) fixed by commit 4134f15 (branch 3.6) (2021-03-16)
Python 3.7.11 (2021-06-28) fixed by commit 7937395 (branch 3.7) (2021-03-16)
Python 3.8.9 (2021-04-02) fixed by commit 664d1d1 (branch 3.8) (2021-03-15)
Python 3.9.3 (2021-04-02) fixed by commit 7dcb4ba (branch 3.9) (2021-03-15)
Python 3.10.0 (2021-10-04) fixed by commit 0ab152c (branch 3.10) (2021-03-15)
ftplib should not use the host from the PASV response.
Python issue: bpo-43285
Creation date: 2021-02-21
Reporter: confd0
Timeline using the disclosure date 2021-02-21 as reference:
2021-02-21: Python issue bpo-43285 reported by confd0
2021-03-15 (+22 days): commit 0ab152c (branch 3.10)
2021-03-15 (+22 days): commit 664d1d1 (branch 3.8)
2021-03-15 (+22 days): commit 7dcb4ba (branch 3.9)
2021-03-16 (+23 days): commit 4134f15 (branch 3.6)
2021-03-16 (+23 days): commit 7937395 (branch 3.7)
2021-04-02 (+40 days): Python 3.8.9 released
2021-04-02 (+40 days): Python 3.9.3 released
2021-06-28 (+127 days): Python 3.6.14 released
2021-06-28 (+127 days): Python 3.7.11 released
2021-10-04: Python 3.10.0 released
curl vulnerability: CVE-2020-8284: trusting FTP PASV responses.
RetroSearch is an open source project built by @garambo | Open a GitHub Issue
Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo
HTML:
3.2
| Encoding:
UTF-8
| Version:
0.7.4