[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Bug-wget] FTP PORT command code in v1.16.3?

From: tomtidaly
Subject: Re: [Bug-wget] FTP PORT command code in v1.16.3?
Date: Thu, 13 Aug 2015 02:47:19 -0000

> On Monday 10 August 2015 16:37:35 address@hidden wrote:
>> In the past it could be possible for a site over http connection to
>> redirect wget to FPT using FTP PORT command so the site gets the real IP
>> of the computer even when wget proxy command is in use I believe:
>> https://lists.torproject.org/pipermail/tor-talk/2012-April/024040.html
>> Is that code still present in wget v1.16.3? It was present in v1.13.4.
> By default Wget is using passive FTP. This avoids PORT (resp. EPRT and
> LPRT).
> But your system administrator could change the default behavior via
> /etc/wgetrc and/or you could change it in ~/.wgetrc.
> You can prove Wget's behavior with the -d command line option.
> E.g. 'wget -d ftp://ftp.example.com/xyz' (fill a real FTP server here)
> A PORT command would be printed to the screen.
> *BUT* if the server reject the PASV command, Wget automatically falls back
> to
> PORT. This is a security thread to people who try to stay anonymous, the
> real
> client's IP will be shown to the FTP server.
> I guess this is the what you are talking about !?

Yes I believe. The way I understood the issue is if I used wget to
download a file from a website like '$wget --proxy
--execute=http_proxy= -c
http://somesite.com/somefile.txt' the site could send FTP PORT command to
redirect wget to ftp protocol, and then get the computer's IP even though
I used the http proxy option.

> Anyways, this behavior has to be changed.
> Thanks for throwing this up.
> Tim

No problem, you're welcome and thanks for the fast fix, this will make
many people happy!

reply via email to

[Prev in Thread] Current Thread [Next in Thread]