FTP server allow upload permission issue

Source: Internet
Author: User
Tags file size ftp rar zip

Many movie websites, forums or other organizations allow users to upload movies or exchange files to facilitate members or members to upload, because only allow this permission, users can upload files, but this permission in the FTP server allows breakpoints to be transmitted, can cause a lot of problems.

FTP server programs that allow breakpoints to be transmitted again must support a "Rest" command, if the command is used before the upload command (send command) to tell the FTP server that the file I am uploading will be written from the location of the file that exists in the FTP server.

Example:

Suppose there is a file Readme.txt in the FTP server, the file size is 1000 bytes, connect to this FTP server (assuming I have write permission, FTP server is to support breakpoint retransmission), I also have a local name Readme.txt file, file size of 500 bytes Well, I started doing bad things.

1, connected to this FTP server (with the system from the ftp://ftp.exe/, in the intranet may not be used, because the ftp://ftp.exe/with the port mode)

2, dir (view Readme.txt size, determined is 1000 bytes)

3. Quote Rest 1000 (Tell the FTP server that the file I am going to send is starting from file location 1000)

4, Send Readme.txt

5, dir (see Readme.txt size again, now README.) TXT becomes 1500 bytes.)

Why is the Readme.txt getting bigger? Very simple, because my local Readme.txt 500 bytes uploaded successfully, and written to the FTP server in the presence of the 1000 bytes Readme.txt file. The problem is that in the second command, if there is no second command, my 4th command (Send Readme.txt) will get a permission deny error, and the second command is to have the FTP server trust the operation that we are going to make a breakpoint again, without the second command, The FTP server will assume that we are doing an operation that covers the original file (the original file operation requires additional permissions before it can be performed).

Here, we should understand the meaning of the topic, through very simple operation, any user with write permission, can change other users upload files, this alone, there is a large security loophole. If you're uploading an important file, arbitrary modifications can cause the file to be completely corrupted, and if it is an executable or some zip or rar file, will there be some genius lunatic who is familiar with the various file structures, adding some malicious code to those files, causing the executor system to be compromised or executing their backdoor code or something else, Since I am not familiar with these file structures, I only say that this is an unknown number, but in the computer world, many impossible things are finally made possible, so I can not make a conclusion. But can only damage to the file, it is very destructive, think of a 500M film and television files, was added byte into the words, it is estimated that can no longer be viewed, the program to play these files will generally say that is not a legitimate film and television files, can not play and so on. As for Zip,rar and other documents, WinZip or WinRAR will certainly say that the compressed file has been damaged, CRC check code is wrong and so on. This article is from http://www.bianceng.cn (programming Getting Started network)

This problem only exists in the FTP service that allows breakpoints to be transmitted again, but now 90% of FTP services are allowed to be transmitted again, so this problem exists on a universal FTP server.

Precautionary method:

If you must upload permissions to the user, the best way to prevent the user is to create a directory for him, the user's permissions are completely locked in this directory, then the user does not have the right to view other users of the directory, that is, can not cause the above mentioned damage.
As mentioned above in the Serv-u V4.0 test, the test platform is win 2K Server. If there is no such problem with other FTP service programs, that is not covered in this article. Now the Windows system to set up the FTP service, the most popular or serv-u, so the administrator should pay more attention. This article is not to teach people to do bad things, if you use this method to destroy FTP server files, the only person responsible is you. Quote the words of a Cologne novel: "The knife itself is not wrong, the wrong is to take its hand."

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.