FTP-сервер FileZilla помогает командам еще до того, как пользователь аутентифицируется

717
j0h

У меня есть компьютер с Windows 7, на котором работает сервер FileZilla. Я читал свои журналы некоторое время назад, и принял к сведению странный отрывок, который я не понимаю.

199)10/28/2014 23:07:57 PM - (not logged in) (66.240.192.138)> 220 PlayNice in the SandBox (000199)10/28/2014 23:07:57 PM - (not logged in) (66.240.192.138)> USER anonymous (000199)10/28/2014 23:07:57 PM - (not logged in) (66.240.192.138)> 331 Password required for anonymous (000199)10/28/2014 23:07:57 PM - (not logged in) (66.240.192.138)> PASS ********** (000199)10/28/2014 23:07:57 PM - (not logged in) (66.240.192.138)> 530 Login or password incorrect! (000199)10/28/2014 23:07:57 PM - (not logged in) (66.240.192.138)> help (000199)10/28/2014 23:07:57 PM - (not logged in) (66.240.192.138)> 214-The following commands are recognized: (000199)10/28/2014 23:07:57 PM - (not logged in) (66.240.192.138)> ABOR ADAT ALLO APPE AUTH CDUP CLNT CWD  (000199)10/28/2014 23:07:57 PM - (not logged in) (66.240.192.138)> DELE EPRT EPSV FEAT HASH HELP LIST MDTM (000199)10/28/2014 23:07:57 PM - (not logged in) (66.240.192.138)> MFMT MKD MLSD MLST MODE NLST NOOP NOP  (000199)10/28/2014 23:07:57 PM - (not logged in) (66.240.192.138)> OPTS P@SW PASS PASV PBSZ PORT PROT PWD  (000199)10/28/2014 23:07:57 PM - (not logged in) (66.240.192.138)> QUIT REST RETR RMD RNFR RNTO SITE SIZE (000199)10/28/2014 23:07:57 PM - (not logged in) (66.240.192.138)> STOR STRU SYST TYPE USER XCUP XCWD XMKD (000199)10/28/2014 23:07:57 PM - (not logged in) (66.240.192.138)> XPWD XRMD (000199)10/28/2014 23:07:57 PM - (not logged in) (66.240.192.138)> 214 Have a nice day.

Без входа кто-нибудь смог получить список доступных команд?

Это нормально?
Должен ли я быть обеспокоен?
Это предотвратимо?

Помимо запрета всей подсети, что я должен делать?

0
Обратите внимание, что команды «USER» и «PASS» перечислены в этой справке. Ƭᴇcʜιᴇ007 9 лет назад 2

2 ответа на вопрос

3
risyasin

Yes that is perfectly normal. protocol does not force authentication in first place. even anonymous authentication is not required. Actually most of ftp servers are only for serving files. you should not consider that as a security flaw. you can try that with any ftp server out there. I don't think it's preventable.

0
Martin Prikryl

There are commands you need to use even before authenticating and you may need to get a help with them.

Obviously the USER, PASS and AUTH (for TLS).

But for example also HOST (RFC 7151). Which FileZilla Server does not support though.

Even if you use GUI FTP client, so that you do not care about help, the client may need to know what commands the server supports. That's particularly true for the HOST command. When the server supports HOST, the client needs to send that command before USER.

Note that the GUI FTP client would use FEAT, not HELP, but the consequences are the same.

It may be possible that the server chooses not to list commands in HELP or FEAT response, that are not allowed without authentication, before you actually authenticate. But the FEAT specification, RFC 2389, does not state such possibility. So such server implementation might break some clients (which use FEAT before authentication, expecting a complete set of commands/features).

Похожие вопросы