i found this vulnerability CVE-2021-4189 (https://bugzilla.redhat.com/show_bug.cgi?id=2036020)
in ftblib library in python
CVE description : A flaw was found in Python, specifically in the FTP (File Transfer Protocol) client library in PASV (passive) mode. The issue is how the FTP client trusts the host from the PASV response by default. This flaw allows an attacker to set up a malicious FTP server that can trick FTP clients into connecting back to a given IP address and port. This vulnerability could lead to FTP client scanning ports, which otherwise would not have been possible.
now i am confused if this vulnerability affected my code using a ftp upload in passive mode as below or should i use ftp.set_pasv(False) to use active mode only
# Init Connection
ftp = FTP()
ftp.connect(FTP_ADDRESS, FTP_PORT)
ftp.login(*FTP_CREDENTIALS)
Yes, your code would be vulnerable, if you did not update to a fixed version of Python yet. And if it is using IPv4 (PASV) for data connections (what is likely does).
I'd not recommend switching to the active mode though, as that will likely cause you problems.
Rather fix your code the same way the ftplib fix works – by ignoring the IP returned by the server in the FTP.makepasv.
See SmartFTP implementation in my answer to:
Cannot list FTP directory using ftplib – but FTP client works
Having that said, I do not consider the vulnerability serious enough to even worry about – unless your code connects to random FTP servers.
Related
I want to build a peer to peer chat engine that runs over the Internet. So far my code works on a local network but not further. This is due to the fact that listening on sockets using python sockets does not make them available outside of the LAN.
It is acceptable for IPs to be shared knowledge, ie it is ok for the other person to need to know my IP address (and a port on which I am listening) to connect to me.
How does one tell the router to open a socket to the outside world? Presumably this can be done as p2p software such as BitTorrent must do it for communication between clients.
As you have mentioned you have to open a specific port on the router and use that port for communication. As there are many router manufacturers each with a variety of models I suggest you to check the manual for the router you want to use.
for the code, you may check if your code works on LAN and then see if the router let's you white-list some ports. you may find many simple examples online.
this is a code i played sometime ago:
http://www.mediafire.com/download/vef4q4prkr7be2e/python.socket.zip
if you don't want users to mess up with ports and router settings and such, first alternative i can think of is this:
you setup an REST API, in one interface one is able to retrieve the messages providing (chatRoomName, FromTimestamp, ToTimestamp[,optionally chatRoomPassWord]) but this has nothing to do with sockets, you have to use simple HTTP requests(urllib/urllib2). Of course there might exist some workaround for this such as an always-white-listed port(like 80 for browsers, 22 for SSH) but you have to search for such exceptions.
note that ports up to 1024 require special privileges(admin/sudo) to be used.
p.s. in traditional implementation other party(client) have to know your (ip, port) duo to be able to connect to the you(server).
I had found code for peer-to-peer chat, but the thorny problems are :
1- Is there is automatic way for the srver and client to get the IP of each other (often dynamic IP) ?
N.B: I read this questions which use an intermediate server but I can't design my own server, so I am searching for another idea:
Creating Peer to Peer connections using intermediate server
Writing a simple P2P chat application
2- Can hackers use the port opened by the chat program ?
One way to locate another peer in a local area network is to broadcast a specifically constructed packet to the whole IPv4 subnet using the broadcast address. Then the peer client can be written to respond to the host who broadcasted the message and make a connection. A perfect example of an application that uses this method is Dropbox. Dropbox uses what they call LAN sync that allows for files to be transfered from peer to peer if that file is present in a dropbox on a host within the LAN. If you fire up wireshark, you can see the LAN sync messages being broadcasted from the broadcast address.
Hackers can use any remote communication protocol to exploit an application if there is a vulnerability present. The best way avoid this is by using secure coding practices and end-to-end encryption. It's not the ports necessarily being open or close that you need to worry about, but the code sitting at the application layer.
Hey I was wondering if anyone knew how to connect to a bitcoin wallet located on another server with bitcoinrpc
I am running a web program made in django and using a python library called bitcoinrpc to make connections.
When testing locally, I can use bitcoinrpc.connect_to_local), or even bitcoinrpc.connect_to_remote('account','password') and this works as well as long as the account and password match the values specified in my 'bitcoin.conf' file. I can then use the connection object to get values and do some tasks in my django site.
The third parameter in connect_to_local is default localhost. I was wondering:
A) What to specify for this third parameter in order to connect from my webserver to the wallet stored on my home comp (is it my IP address?)
B) Because the wallet is on my PC and not some dedicated server, does that mean that my IP will change and I won't be able to access the wallet?
C) The connection string is in the django app - which is hosted on heroku. Heroku apps are launched by pushing with git but I believe it is to a private repository. Still, if anyone could see the first few lines of my 'view' they would have all they need to take my BTC (or, more accurately, mBTC). Anyone know how bad this is - or any ways to go about doing btc payments/movements in a more secure way.
Thanks a lot.
I'm currently doing something very similar (heroku using express/nodejs instead of django/python tho) so I will try to share my thoughts.
In spite of using other library and other language, all the wallet remote libraries should be primarily a wrapper around JSON RPC (remote procedure call) API, which is actually the same for most of the coins out there (i would say all, but that would be a wild guess).
Specifically to your questions:
A)
To access the wallet from outside, use your external ip (fastest way to find it is to query google for it). Depending on your ISP you hopefully have static external address. You must provide this address to bitcoin.conf file under rpcallowip= option to allow incomming connections.
Moreover you should forward the used port in your home router (usually under NAT settings) to your local machine so the incoming connection from the server is allowed and redirected to your wallet computer.
There is one important thing to consider (https://en.bitcoin.it/wiki/Running_Bitcoin):
By default, only RPC connections from localhost are allowed. Specify
as many rpcallowip= settings as you like to allow connections from
other hosts (and you may use * as a wildcard character).
NOTE: opening up the RPC port to hosts outside your local
trusted network is NOT RECOMMENDED, because the rpcpassword
is transmitted over the network unencrypted.
I am yet to look into it further, from this comment alone it seems totally unusable for monetary transactions.
B)
As I said before, it depends on your home ISP, type of connection and the service provided to you.
C)
If I understand correctly from a django point of view, as long as the login parameters (username/password) are inside a view (views.py of your app) and the debug mode is turned off, source code of the server should not be publicly accessible. But the security concern from A still applies.
You can use SSL with RPC to hide the password.
rpcssl=1
I'm trying to run a simple FTPServer on EC2. My client connects to it fine, and I can make and remove directories. However, I get the following error whenever I try to store or retrieve a file: Failure: twisted.protocols.ftp.CommandFailed: ["425 Can't open data connection."]
I've tested the server on my localhost, and everything behaves as normal. I was paranoid and decided to turn on all ports in my security groups, but it still doesn't work. Am I missing something when setting up my EC2 machine?
Your FTP client appears to be in active mode, and is (like most client computers these days) behind a NAT or firewall which does not permit inbound connections.
There's another question on Stack Overflow about this topic that quite clearly explains the differences between active and passive mode in FTP; you should read it.
Configure your client to use passive mode, or "PASV", and it ought to work.
I am using rpcbind (SunRPC) on Arch linux and the Python rpc.py (which use standard python socket module) interface for comunication with it. Every time I try to send a request for registration or unregistration to rpcbind, I get message that I am rejected for security reasons. The only situation where everything works is when I call rpcbind in insecure mode (rpcbind -i), but I really want to make everything works in secure mode. I found information from the rpcbind datasheet that I can make a request in secure mode only from the loopback address, but I have tried every approach I had knew to make such a socket and everything fell down. How do I connect to rpcbind in secure mode?