next up previous
Next: Uploading/Storing files: STOR, APPE Up: The FTP Protocol Previous: Retrieving Files: RETR and

PASV security

FTP can prove to be a security disaster, even when it is used with a transparent TCP security mechanism such as IPSEC. It is highly recommended that FTP never be used for anything other than retrieval of public files through PASV.

Unfortunately, as of 2000, FTP remains one of the Internet's most popular file upload mechanisms.

PASV connection theft can occur relatively simply (Please do not try this at home!!):After a client sends PASV, an attacker can connect to the server's TCP port before the client does. The severity of this attack depends on what the client does next:

Servers can take several measures to protect against PASV theft:


next up previous
Next: Uploading/Storing files: STOR, APPE Up: The FTP Protocol Previous: Retrieving Files: RETR and
Dave Marshall
9/28/2001