Board index » delphi » FTP : Server to Server ?

FTP : Server to Server ?

Is there a safe way to remotely transfer files from a ftp server to
another, the delphi app controlling the transfer not being on any of the
ftp server hosts ?

I've read a bit about FXP that seems to be roughly what I'm looking for,
but which seems to have some limitations/drawbacks : security problems,
doesn't work for 2 NT FTP servers ?, no way to follow the progress
status ...

Is there a protocol, a delphi comp that will suit my needs ?

Thanks

 

Re:FTP : Server to Server ?


In article <3DAD6A5E.5040...@free.fr>, the...@free.fr says...
Quote
> Is there a safe way to remotely transfer files from a ftp server to
> another, the delphi app controlling the transfer not being on any of the
> ftp server hosts ?

I think the current Indy 10 snapshots can provide FTPX functionality.  

However, it can not provide progress reports because the client doesn't
see a byte of the transfer.  And in addition, it will not work with many
servers because of security concerns.  The same FTPX mechanism that you
would like to use is subject to some types of abuses.  These abuses are:

1) A pirate could hijack a PASV data port connection and get what was
intended for you.
2) The PORT command could be misused to gain access to an internel
network in some cases by simply specifying an IP address and Port inside
the network.
3) The PORT command could be used to cause abuses with services on
another machine such as a buffer overflow, flooding, or sending a file
with protocol command sequences to create problems (such as spamming).

To be frank with you, I actually favor servers disabling FTPX support
for those reasons.
--
J. Peter Mugaas - Chairperson, Distribution Team, Indy Pit Crew
Internet Direct (Indy) Website - http://www.nevrona.com/Indy
Personal Home Page - http://www.wvnet.edu/~oma00215
If I want to do business with you, I will contact you.  Otherwise, do
not contact me.

Re:FTP : Server to Server ?


sorry for newbie questions but :

I don't understand why a ftpx server would be unsafer than a classical
ftp server ?

- a pirate can't hijack the PASV or abuse with the PORT command on a
classical server ?

- the user have to login on the to servers, so what is unsafer ?

- if there is no anonymous acces to the servers, is the procedure safe ?
safer ?

Thanks.

J. Peter Mugaas a crit:

Quote
> In article <3DAD6A5E.5040...@free.fr>, the...@free.fr says...

>>Is there a safe way to remotely transfer files from a ftp server to
>>another, the delphi app controlling the transfer not being on any of the
>>ftp server hosts ?

> I think the current Indy 10 snapshots can provide FTPX functionality.  

> However, it can not provide progress reports because the client doesn't
> see a byte of the transfer.  And in addition, it will not work with many
> servers because of security concerns.  The same FTPX mechanism that you
> would like to use is subject to some types of abuses.  These abuses are:

> 1) A pirate could hijack a PASV data port connection and get what was
> intended for you.
> 2) The PORT command could be misused to gain access to an internel
> network in some cases by simply specifying an IP address and Port inside
> the network.
> 3) The PORT command could be used to cause abuses with services on
> another machine such as a buffer overflow, flooding, or sending a file
> with protocol command sequences to create problems (such as spamming).

> To be frank with you, I actually favor servers disabling FTPX support
> for those reasons.

Re:FTP : Server to Server ?


Quote
"TheCat" <the...@free.fr> wrote in message news:3DAE7BFC.90905@free.fr...
> sorry for newbie questions but :

> I don't understand why a ftpx server would be unsafer than a classical
> ftp server ?

> - a pirate can't hijack the PASV or abuse with the PORT command on a
> classical server ?

pasv:
no, when you issue a pasv, the server opens a port (on itself).
on a classical server only the one issuing the pasv is allowed to connect to
that port.
but when fxp is enabled, anyone is allowed to connect to that port.
a hacker could connect to that port before you do. ( he doesn't know the
ip/port thus he must have a lot of luck to connect to your server/port in
the 1 second the port is open )

port:
port is used to let the server connect to a specified ip/port
if a ftpserver is behind a firewall (thus on the inside) (ftpclient at the
outside),
a fxp ftpserver would allow itself to connect to any ip, thus also ip's that
are also inside the firewall, but where the ftpclient has no access to. a
"classic" server would only allow to connect to the ip that issued the port
command.

Quote
> - the user have to login on the to servers, so what is unsafer ?

> - if there is no anonymous acces to the servers, is the procedure safe ?
> safer ?

the port command would be secure (if you can trust the users)
the pasv command can still be abused by hackers (remote chance).

Quote
> Thanks.

Bas

Re:FTP : Server to Server ?


In article <3daf2...@newsgroups.borland.com>, bas_gooi...@yahoo.com
says...

Quote
> [snip]
> pasv:
> no, when you issue a pasv, the server opens a port (on itself).
> on a classical server only the one issuing the pasv is allowed to connect to
> that port.
> but when fxp is enabled, anyone is allowed to connect to that port.
> a hacker could connect to that port before you do. ( he doesn't know the
> ip/port thus he must have a lot of luck to connect to your server/port in
> the 1 second the port is open )

Not quite if you're talking a hacker with a packet sniffer between the
user and the server.  In addition, a hacker anylizing a server might be
able to guess what random port a PASV connection will be listening at
(sometimes listening at a random port is not as random as it looks).
--
J. Peter Mugaas - Chairperson, Distribution Team, Indy Pit Crew
Internet Direct (Indy) Website - http://www.nevrona.com/Indy
Personal Home Page - http://www.wvnet.edu/~oma00215
If I want to do business with you, I will contact you.  Otherwise, do
not contact me.

Re:FTP : Server to Server ?


Thanks for your help.

I'll take the time to digest informations before taking a decision.

Thanks again,
Regards.

Other Threads