----------
Connect to: (21.04.2015 3:14:59)
hostname=195.2.x.x
username=debug
startdir=
220 FTP Server ready.
AUTH TLS
234 AUTH TLS successful
Cert subject: /C=RU/ST=Moskow/L=spb/O=Default Company Ltd/CN=breezfm.ru/emailAddress=admin@breezfm.ru
Cert issuer: /C=RU/ST=Moskow/L=spb/O=Default Company Ltd/CN=breezfm.ru/emailAddress=admin@breezfm.ru
USER debug
331 Password required for debug
PASS ***********
230 User debug logged in.
SYST
215 UNIX Type: L8
FEAT
211-Features:
MDTM
MFMT
TVFS
UTF8
AUTH TLS
MFF modify;UNIX.group;UNIX.mode;
MLST modify*;perm*;size*;type*;unique*;UNIX.group*;UNIX.mode*;UNIX.owner*;
PBSZ
PROT
REST STREAM
LANG zh-CN;es-ES;zh-TW;ja-JP;ko-KR;en-US*;fr-FR;bg-BG;it-IT;ru-RU
SIZE
211 End
PBSZ 0
200 PBSZ 0 successful
OPTS UTF8 ON
200 UTF8 set to on
Connect ok!
PROT C
200 Protection set to Clear
PWD
257 "/" is the current directory
Get directory
TYPE A
200 Type set to A
PORT 93,72,y,y,18,239
200 PORT command successful
MLSD
150 Opening ASCII mode data connection for MLSD
Download
Waiting for server...
226 Transfer complete
----------
Connect to: (21.04.2015 3:15:29)
hostname=195.2.x.x
username=debug
startdir=
220 FTP Server ready.
# AUTH TLS Command is ABSENT!
USER debug
331 Password required for debug
PASS *********** # Open Text Password Send!!!
230 User debug logged in.
SYST
215 UNIX Type: L8
FEAT
211-Features:
MDTM
MFMT
TVFS
UTF8
AUTH TLS
MFF modify;UNIX.group;UNIX.mode;
MLST modify*;perm*;size*;type*;unique*;UNIX.group*;UNIX.mode*;UNIX.owner*;
PBSZ
PROT
REST STREAM
LANG zh-CN;es-ES;zh-TW;ja-JP;ko-KR;en-US*;fr-FR;bg-BG;it-IT;ru-RU
SIZE
211 End
OPTS UTF8 ON
200 UTF8 set to on
Connect ok!
CWD /1112
550 /1112: No such file or directory
CWD /
250 CWD command successful
PWD
257 "/" is the current directory
Get directory
TYPE A
200 Type set to A
PORT 93,72,y,y,18,241
200 PORT command successful
MLSD
150 Opening ASCII mode data connection for MLSD
Download
Waiting for server...
226 Transfer complete
TYPE I
200 Type set to I
TYPE I
200 Type set to I
PASV
227 Entering Passive Mode (195,2,x,x,191,200).
PORT 195,2,x,x,191,200
200 PORT command successful
STOR 1112
150 Opening BINARY mode data connection for 1112
RETR 1111
150 Opening BINARY mode data connection for 1111 (1 bytes)
226 Transfer complete
226 Transfer complete
Copied (21.04.2015 3:15:32): 1111 -> 1112 1 bytes, 0 bytes/s
QUIT
221 Goodbye.
Get directory
TYPE A
200 Type set to A
PORT 93,72,y,y,18,242
200 PORT command successful
MLSD
150 Opening ASCII mode data connection for MLSD
Download
Waiting for server...
226 Transfer complete
FXP Sequrity BUG!
Moderators: Hacker, petermad, Stefan2, white
FXP Sequrity BUG!
When copying a file on the server (Shift + F5), a second connection to the server is always created in plain text!
Last edited by Isica on 2015-04-25, 01:18 UTC, edited 1 time in total.
-
ghisler(Author)
- Site Admin
- Posts: 50549
- Joined: 2003-02-04, 09:46 UTC
- Location: Switzerland
- Contact:
???
This isn't a bug, that's how FxP works - it's a connection between TWO servers. When you copy within the same server, you still need a second control connection (for the target).
This isn't a bug, that's how FxP works - it's a connection between TWO servers. When you copy within the same server, you still need a second control connection (for the target).
Author of Total Commander
https://www.ghisler.com
https://www.ghisler.com
TC's FTP client may be basic feature wise and it's fine. But this really is security bug.
You connect to encrypted ftps://yourserver.tld, because you don't want your password sniffed by anyone. Then you want to copy some file on server using Shift+F5 and TC needs to open another connection to the same server to do that. But this time, it uses plain ftp://yourserver.tld without encryption.
You connect to encrypted ftps://yourserver.tld, because you don't want your password sniffed by anyone. Then you want to copy some file on server using Shift+F5 and TC needs to open another connection to the same server to do that. But this time, it uses plain ftp://yourserver.tld without encryption.
FXP is between two servers and not between your TC and a server.Sob wrote:TC's FTP client may be basic feature wise and it's fine. But this really is security bug.
You connect to encrypted ftps://yourserver.tld, because you don't want your password sniffed by anyone. Then you want to copy some file on server using Shift+F5 and TC needs to open another connection to the same server to do that. But this time, it uses plain ftp://yourserver.tld without encryption.
Data connections yes, control connections no. Both control connections are established by TC. The problem here is second control connection, because it skips AUTH command and just sends the password in plaintext.
Original poster already described it well, just look at the log (hint: the colored parts ;).
Original poster already described it well, just look at the log (hint: the colored parts ;).
-
ghisler(Author)
- Site Admin
- Posts: 50549
- Joined: 2003-02-04, 09:46 UTC
- Location: Switzerland
- Contact:
This was fixed in TC 8.52 beta 1, but FxP may still not work, depending on the server. The fix only fixes the login problem.
Author of Total Commander
https://www.ghisler.com
https://www.ghisler.com
-
ghisler(Author)
- Site Admin
- Posts: 50549
- Joined: 2003-02-04, 09:46 UTC
- Location: Switzerland
- Contact: