Fix FTP anonymous login detection when ANONYMOUS_LOGIN option is enabled#21375
Open
kuro-toji wants to merge 1 commit intorapid7:masterfrom
Open
Fix FTP anonymous login detection when ANONYMOUS_LOGIN option is enabled#21375kuro-toji wants to merge 1 commit intorapid7:masterfrom
kuro-toji wants to merge 1 commit intorapid7:masterfrom
Conversation
The scanner/ftp/ftp_login module was not properly handling anonymous login detection when ANONYMOUS_LOGIN option was enabled because: 1. The anonymous_creds method only checked RECORD_GUEST, not ANONYMOUS_LOGIN 2. The FTP connect_login method rejected empty username/password pairs This fix: - Updates anonymous_creds to also add blank username/password when ANONYMOUS_LOGIN is true - Updates connect_login to allow empty username/password (for true anonymous FTP) Fixes rapid7#21096
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
The
scanner/ftp/ftp_loginmodule was not properly handling anonymous login detection whenANONYMOUS_LOGINoption was enabled. Users reported that enablingANONYMOUS_LOGIN truewithftp_loginscanner failed to detect anonymous FTP access that thescanner/ftp/anonymousmodule correctly detected.Root Cause
anonymous_credsmethod only checkedRECORD_GUESToption, notANONYMOUS_LOGINconnect_loginmethod rejected empty username/password pairs with early returnChanges
anonymous_credsto also add blank username/password whenANONYMOUS_LOGINis trueconnect_loginto allow empty username/password (for true anonymous FTP)Fixes #21096