Re: [twsocket] New DLL hijacking vulnerability KB 2269637
> I prefer this anyway since the load errors don't raise somewhere
> but where I can handle them easily:
I also log the SSL version and directory at the point, since multiple SSL
DLLs may be available on the PC and like to know the expected versions
are being used:
MySslContext.InitContext;
AddLogLine ('SSL Version: ' +
OpenSslVersion + ', Dir: ' + GLIBEAY_DLL_FileName) ;
Angus
--
To unsubscribe or change your settings for TWSocket mailing list
please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket
Visit our website at http://www.overbyte.be
[twsocket] PASV fallback to public IP
Some FTP servers return wrong IP for PASV command (private instead of public). In such cases, obviously, FTP component can't connect to the server. Filezilla is smart enough to detect this and switch to public IP, instead: ... Command:TYPE I Response: 200 Type set to I. Command:PASV Response: 227 Entering Passive Mode (192,168,*,*,114,78). Status: Server sent passive reply with unroutable address. Using server address instead. Command:LIST Response: 150 File status okay; about to open data connection. ... Is it possible to achieve this with ICS? Best regards Kristof -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be
Re: [twsocket] PASV fallback to public IP
> Some FTP servers return wrong IP for PASV command (private instead > of public). In such cases, obviously, FTP component can't connect to > the server. This is not really an FTP server issue, but a poorly designed NAT router that has not replaced the private IP address with a public IP. > Filezilla is smart enough to detect this and switch to public IP, > instead: Detecting the wrong address is easy, but whether replacing it with a public address will do anything useful is more debatable since the NAT router may not know which private IP address is the intended destination of the incoming TCP connection. NAT routers have to be designed to understand the FTP protocol, and parse the control channel for private IP addresses and forward connections appropriately. Normally this is all hidden and you never know it's happening. Do you have a specific example of a live public server returning a private IP that we can test? It will be very difficult to set-up, since it needs a crappy NAT router. Angus -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be
Re: [twsocket] PASV fallback to public IP
> -Original Message- > From: Angus Robertson - Magenta Systems Ltd > [mailto:an...@magsys.co.uk] > Sent: 07 September 2010 09:47 > To: twsocket@elists.org > Subject: Re: [twsocket] PASV fallback to public IP > > > > Some FTP servers return wrong IP for PASV command (private > instead of > > public). In such cases, obviously, FTP component can't > connect to the > > server. > > This is not really an FTP server issue, but a poorly designed > NAT router that has not replaced the private IP address with > a public IP. > > > Filezilla is smart enough to detect this and switch to public IP, > > instead: > > Detecting the wrong address is easy, but whether replacing it > with a public address will do anything useful is more > debatable since the NAT router may not know which private IP > address is the intended destination of the incoming TCP connection. > > NAT routers have to be designed to understand the FTP > protocol, and parse the control channel for private IP > addresses and forward connections appropriately. Normally > this is all hidden and you never know it's happening. > > Do you have a specific example of a live public server > returning a private IP that we can test? It will be very > difficult to set-up, since it needs a crappy NAT router. > > Angus > As a FileZilla client and server user of some years. Servers that return a Private (LAN) IP in a Passsive Mode parameter value, are probably misconfigured by their owners, rather than any deficiancy in the routers used. F'Zilla can only "detect" your WAN IP, if you point it to a suitable external site/service that will report back your WAN IP. Sadly, not all of them do it in a way F'Zilla can reliably handle. You could use a local to you service, that in turn polls your router setup pages to find the WAN IP currently in use, but every router is different. If you have a dynamic WAN IP as most home users do, you can use an external service such as DynDns so you can have a regular "domain name" who's resolved IP follows your actual IP as it changes from time to time (with a short delay...) Then, in F'Zilla (and I guess in any ICS created server) you can find your outside (WAN) IP, by doing a DNS query on yourself (in FZ, you put your domain name in the Passive Mode Settings dialog, "Use the following IP" field) that in turn will return your current WAN IP address, that is then used as part of the client Passive mode setup protocol. Or, you ask your ISP for a fixed IP account. :) The only thing you need to do to any routers in line, is make sure that their port forwarding rules are setup, so that *All* the FTP Data port(s) you use, are passed to the machine on your LAN that is running the server. The client of course, does not need to make any such adjustments, they only ever initiate outgoing connections, so no port forwarding needs to be done. Regards. Dave B. -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be
[twsocket] HTTPcli: source path question
Currently I'm starting some research on HTTP downloads with ICS THttpCli. I want to add recursive download functionality but faced with impossibility to distinguish file of directory. Then I noticed that requests to folder without trailing slash (GET /somepath/foo/bar) are redirected to locations with slash (/somepath/foo/bar/) so it's easy to tell it's a directory. I'm far not close to HTTP specs and don't know whether it's obligatory behavior and could I rely on it. Moreover, though THttpCli implements redirect internally (fortunately!!!) I don't know whether I could rely on FPath (of FLocation?) fields. I looked in RFC but found nothing on this issue. And another thing. Shouldn't header fields Modified-since and Date be parsed as well as other ones? RFC1123_StrToDate is already present in the unit, just 2 date formats are left to implement. And the last (finally!). RFC1123_Date seem to double standard Delphi FormatDateTime routine. You may use it with english TFormatSettings record specified (get it by GetLocaleFormatSettings(LOCALE_INVARIANT) ) to fix month and day names. This could be also used in data parsing. -- Anton -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be
Re: [twsocket] HTTPcli: source path question
Currently I'm starting some research on HTTP downloads with ICS THttpCli. I want to add recursive download functionality but faced with impossibility to distinguish file of directory. In HTTP world, there is no real directory concept. There are only documents. It happens that some webservers, if configured so could display a directory content if the default document is missing. That directory content is a HTML page built automatically by the webserver. Then I noticed that requests to folder without trailing slash (GET /somepath/foo/bar) are redirected to locations with slash (/somepath/foo/bar/) so it's easy to tell it's a directory. This is not always the case. Here again, it happens that either the web designer of the webserver by itself redirect the client to the location ending with a slash when one is missing. I'm far not close to HTTP specs and don't know whether it's obligatory behavior and could I rely on it. I would not rely on that behaviour. -- francois.pie...@overbyte.be The author of the freeware multi-tier middleware MidWare The author of the freeware Internet Component Suite (ICS) http://www.overbyte.be -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be
Re: [twsocket] PASV fallback to public IP
>... >Do you have a specific example of a live public server returning a >private IP that we can test? It will be very difficult to set-up, since >it needs a crappy NAT router. Thanks for the explanation, Angus. This issue was reported by one of my users, who later determined the cause by himself, so I have no such public server available. I will ask if this is a public server that can be checked. I guess in his case replacing private with public IP may work, since FileZilla works, however I agree that fixing NAT router would be a better option. Best regards Kristof -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be
Re: [twsocket] PASV fallback to public IP
> This issue was reported by one of my users, who later determined > the cause > by himself, so I have no such public server available. I will ask > if this is > a public server that can be checked. I guess in his case replacing > private > with public IP may work, since FileZilla works, however I agree > that fixing > NAT router would be a better option. I have a nagging feeling that NAT address manipulation may only happen with FTP clients, if it fails then people use passive mode. I have one ICS FTP server behind a NAT router, another without NAT, so I'll do a test myself later in the week to confirm how much manipulation of the control channel is done by the router, if any. Adding the same feature as FileZilla FTP client is not hard, since the server public IP address is available from the socket. Doing the same on an FTP server is much harder, and really needs a public STUN server (as used for SIP for the same reason). Angus -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be
Re: [twsocket] PASV fallback to public IP
Angus Robertson - Magenta Systems Ltd wrote: > Doing the > same on an FTP server is much harder, and really needs a public STUN > server (as used for SIP for the same reason). Or simply: -- Arno Garrels -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be
Re: [twsocket] PASV fallback to public IP
Arno Garrels wrote: > Angus Robertson - Magenta Systems Ltd wrote: > >> Doing the >> same on an FTP server is much harder, and really needs a public STUN >> server (as used for SIP for the same reason). > > Or simply: > > echo $_SERVER[REMOTE_ADDR]; BTW: The NAT trouble will stop with IPv6. -- Arno Garrels -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be
Re: [twsocket] HTTPcli: source path question
>> Then I noticed that requests to folder without trailing slash (GET >> /somepath/foo/bar) >> are redirected to locations with slash (/somepath/foo/bar/) so it's easy >> to tell it's a directory. this depends how server is configured to treat trailing slash. In most cases it will treat it as access to folder and look for default files there (index.htm, index.html, index.php, default.asp, default.aspx etc.). But this can be easily changed by simply changing .htaccess files on Apache for example so even if web server is configured one way, navigating to a certain folder with different .htaccess directives can change this behaviour completely. You will see that for example WordPress has an option how it will display URL path - as "folders" as "html file" but in reality this is just a choice of format which will be parsed later by "index.php" or whatever. This is just a modification of .htaccess So you cannot really know how folders are structured on the server is just by looking at the URL. Furthermore a lot of servers are configured as virtual hosting meaning a single host hosts hundreds or even thousands of sites that share the same IP address (just have their own "user account" directory configured on the server). -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be
Re: [twsocket] PASV fallback to public IP
> > Or simply: > > > echo $_SERVER[REMOTE_ADDR]; This still needs be running on a public server somewhere! I don't have PHP on mine. > BTW: The NAT trouble will stop with IPv6. And introduce lots of new problems instead. My new Sonicwall pass IPv6, but not process it. Angus -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be
