FTP server allows upload permission issues

  

Many movie websites, forums or other organizations allow users to upload permissions in order to facilitate members or members to upload movies or exchange files, because users can upload files only if this permission is allowed, but this Permissions can cause big problems in ftp servers that allow breakpoints to be retransmitted. The ftp server program that allows re-transmission of the breakpoint must support a "Rest" command. If this command is used before the upload command (send command), it is to tell the ftp server that the file I want to upload will be from the ftp server. The location of the file that exists exists to start writing. Example: Suppose there is a file Readme.txt in the ftp server, the file size is 1000 bytes, connect to the ftp server (assuming I have write permission, the ftp server supports breakpoints), and there is also a local called Readme. Txt file with a file size of 500 bytes. Ok, I started doing bad things. 1, connect to this ftp server (using the system's own ftp://ftp.exe /, the internal network may not be able to use, because ftp://ftp.exe /use port mode) 2, dir (view Readme.txt size, determined to be 1000 bytes) 3, quote rest 1000 (tell ftp server I will transfer the file is from the file location 1000) 4, send Readme.txt5, dir (review the size of Readme.txt, now Readme .txt becomes 1500 bytes.) Why does Readme.txt get bigger? It's very simple, because the 500 bytes of my local Readme.txt is successfully uploaded and written to the 1000 bytes Readme that exists in the ftp server. In the txt file. The problem is that in the second command, if there is no second command, my fourth command (Send Readme.txt) will get a Permission Deny error. The second command is to let the ftp server trust us to proceed. A breakpoint re-transmission operation, if there is no second command, the ftp server will assume that we are doing an operation to overwrite the original file (recovering the original file operation requires additional permissions). Having said that, everyone should understand the meaning of the theme. With very simple operation, any user with write permission can change the files uploaded by other users. This alone has a big security hole. If you upload an important file, random modifications can completely destroy the file; if it is an executable file or some zip or rar file, will there be some genius madman who is familiar with various file structures, and add some malicious code to those Files, causing the executor system to be corrupted or executing their backdoor code or other. Because they are not familiar with the structure of these files, I only say that this is an unknown number, but in the world of computers, many impossible things In the end, it was created as possible, so I can't make a conclusion. However, it is very destructive to destroy the file alone. If you think of a 500M video file and you have added more bytes, it is estimated that it can no longer be viewed. The program for playing these files is generally It will be said that it is not a legal video file, it cannot be played, and so on. As for zip, rar and other files, winzip or winrar will definitely say that the compressed file has been corrupted, the crc check code is wrong, and so on. This problem only exists in FTP services that allow breakpoints to be re-transmitted, but now 90% of FTP service programs allow breakpoints to be re-transmitted, so this problem exists in popular FTP servers. Precautionary method: If you need to upload permissions to the user, the best defense method is that each user will create a directory for him and lock the user's permissions completely in this directory. Then the user has no permission to view other users. The directory, that is to say, can not cause the above-mentioned damage. The above mentioned test in Serv-U V4.0, the test platform is Win 2K Server. If other ftp servers do not have this problem, it is beyond the scope of this article. Now ftp service is set up in the windows system. The most popular one is Serv-U, so administrators should pay more attention. This article is not meant to teach people to do bad things. If you use this method to destroy the files on the ftp server, the only person responsible is yours. Quote the words in a Gu Long novel: "The knife itself is not wrong, the wrong thing is to take its hand".

Copyright © Windows knowledge All Rights Reserved