[原文]The default installation of Fastream NETFile FTP/Web Server 7.4.6, which supports FXP, does not require that the IP address in a PORT command be the same as the IP of the logged in user, which allows remote attackers to conduct FTP Bounce attacks to bypass firewall rules or cause a denial of service.
Fastream NETFile FTP/Web Server Port Scan Bounce Weakness
Remote / Network Access
Loss of Integrity
Fastream NETFile FTP/Web Server contains a flaw that may lead to an information disclosure. The problem is that the FTP server does not validate IP addresses supplied via the PORT command while in passive(PASV) mode. It is possible for a remote attacker to establish a connection between the FTP server and an arbitrary port on a third-party system, essentially conducting a port-scan. This can be used to obscure the the source of the port-scan, as well as scan internal systems that may be protected by a screening device.
Upgrade to version 7.6 or higher, which allows disabling of FXP if it is not required. It is also possible to correct the flaw by implementing the following workaround(s):
1. Note that if FXP is enabled, the DoS attack is still possible (i.e. PORT 127,0,0,1,x,y is possible). Hence, if you enable FXP, you should only allow trusted users to logon to your FTP server.
2. Set a strong password for the admin interface.