In other words, practically there’s no IP address restriction, no matter what settings are chosen in the Filezilla server GUI.įor the (PORT) bounce attack, the net result is that the attack can proceed without hindrance.įor PASV connection theft, Filezilla FTP server offers an additional de-facto security layer in the form of a weak variant of “PASV SYN protection”, namely “Closing a socket as soon as accept() succeeds”. This means that as long as the control channel and the data channel are established to the same IP address (that of the Filezilla server, naturally), the security test is passed, regardless of the remote addresses. Unfortunately, due to a bug in Filezilla FTP server (introduced in version 0.8.0, released January 1 st, 2003), it is not the remote IP address of the channels which is subject to these tests, but rather the local IP address. See the Filezilla Server Interface (GUI) screenshot: This advisory will refer to Bernstein’s work for terminology.įilezilla FTP server was designed to protect against these attacks chiefly by verifying that the data channel remote IP address is identical (in “strict mode”) or at least from the same class C (in the more relaxed mode, which is the default) to the control channel remote IP address. Bernstein’s 1999 paper “ PASV security and PORT security”, which names the attack and discusses effective and ineffective defense mechanisms. Gerber’s 1999 paper “FTP PASV ‘Pizza Thief’ Exploit” (originally at but no longer available there mirrored at ), and Daniel J.
Among the first descriptions of the PASV connection theft attack are David Sacerdote’s 1996 paper “ Some problems with the File Transfer Protocol, a failure of common implementations, and suggestions for repair”, Jeffrey R.
in Hobbit’s 1995 writeup “ The FTP Bounce Attack” and in CERT’s 1998 tech tip “Problems With The FTP PORT Command or Why You Don't Want Just Any PORT in a Storm” (originally at, that page is no longer responsive mirrored at ). Filezilla FTP server is vulnerable to FTP PORT bounce attack and PASV connection theftįilezilla FTP server (affected versions: 0.8.0 - 0.9.50) is vulnerable to PORT bounce attack and to PASV connection theft.