-
Notifications
You must be signed in to change notification settings - Fork 1
/
README.ftp
59 lines (46 loc) · 2.71 KB
/
README.ftp
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
gatling now also speaks FTP, and it is enabled per default.
Disable it with -F.
Working around itojun's disabled IPv4-mapped IPv6 addresses is even
worse for FTP than it is for HTTP. I'm not going to waste my time on
this for now. Please ask itojun himself to prove how "easy" or even
"trivial" it is to do this, as he always claims it is.
Like HTTP will bind to port 80 if running as root, or 8000 otherwise,
FTP will bind to port 21 and 2121. To specify the FTP port, use
-f -p [port]. Example:
gatling -p 81 -f -p 2100
would run a HTTP server on port 81 and an FTP server on port 2100. For
now, HTTP and FTP will always bind to the same IP number.
Please note:
a) No TELNET sequences.
These are _really_ obsolete, a pain in the ass to implement, and
have even been used as means to avoid intrusion detection systems
due to the obscurity.
b) The path checking deliberately _allows_ to leave the file system,
as long as you follow a symbolic link in the process. That means,
if you symlink out of the FTP file system (and the destination is in
the chroot jail), gatling will allow FTP (and HTTP!) users to
follow the symlink. However, following a directory symlink and
appending "/../" will not follow the .. directory entry from the
target directory of the symlink, as an attacker may hope.
The idea is to make it easy to create an FTP Server by putting a
few symlinks to directories you want to export in an empty
directory and starting gatling there.
c) Like for HTTP, gatling will do virtual hosting, i.e. if the client
connected to IP 10.1.1.23 on port 21, gatling will look for the
exported data in the directory "10.1.1.23:21".
d) gatling will not let users download files that are not world
readable, even if the permissions would normally allow the gatling
process to read the files. This is to prevent accidental
publication of sensitive files.
e) gatling accepts uploads per anonymous FTP, but only to directories
that are world writable. Since there normally are no world
writable directories, this should not pose much of a threat to
anyone. Please note that the files are created with mode 600,
which means gatling will not let others download uploaded files, so
it cannot be exploited as warez dump.
You can disable uploads altogether with -U, or you can allow
anonymous downloaders to download just uploaded files with -a.
f) gatling's directory listings will always claim files are owned by
root. The local accounts on FTP sites are ignored by software and
not normally useful to outsiders anyway, but revealing them may
expose more of your organisation to FTP users than you want.