Topic: Figured out how to FTP to an IBAY and upload from the intern

[Craig Bursey]

Hi Folks,

I think I've figured out how to upload to an IBAY from the internet and even to the HTML directory.  I don't like that you have to open up the system to do it but you only have to alter the settings in the IBAY and in the E-Smith Manager. You don't have to mess with any Templates or other behind the scenes stuff.

I just tested it and was able to download files into the Files and/or HTML directories of an IBAY.

My issue is should I post the solution, it has the potential to open a big security hole in the system and I don't know if I should put it out there. I think it's also a good idea for me to test it on another system just incase there is sometime unique with my setup.  

I'll keep this posting updated,

Craig

[Craig Bursey]

Hi Folks,

I'm at work and was successful at FTPing into an IBAY on my home  E-smith Server. I did some more tests and found that the method I'm using leaves your PC wide open, definitely too wide open!! With the proper settings in your FTP client you can easily move around the directories on the server.

I guess the settings are good for occassional use but I don't know if I would leave them on all the time.

What I would like to try now is connecting to someone elses E-smith Server from my location, just to confirm that the setting will work in a different environment.

If you are interested in helping me with this test then please drop me a line and I'll tell you the e-smith settings you have to change.

Thanks,

Craig

[Alec]

I've got a test server connected to the net, so you can try your 'thing' on it. Send your details to trotsford@hotmail.com. Can't promise a quick response as I am fairly busy

[Craig Bursey]

Hi Folks,

Here's the basics on how you can upload to an IBAY from the Internet. You can upload to the CGI-BIN,FILES or HTML directories.


- CREATE/SETUP YOUR IBAY

  - Group:  Everyone
  - User access via file sharing or user ftp:  Write = Group,
    Read = Everyone(*)
  - Public access via web or anonymous ftp: Entire Internet(No
    password required)

- SECURITY
  - REMOTE ACCESS

  - FTP user account access: Public


** OK, your E-Smith Server is ready to go


- FTP CLIENT Software

- Setup your FTP client profile like this:

  - Host : the IP or URL for your E-Smith Server
  - Username: admin
  - Password:  Admin password
  - Remote Site Folder: /ibays/"IBAY name from above"
    * This can also be left blank and then you have to drill
      down to the directory you want.

This is scary in that if you want someone else to upload to your server then you have to give them your ADMIN password but if it's only for yourself it's great because you can access a good bit of your sever remotely.

By FTPing in this way you expose the:

- Ibays
- Managers
- Primary
- Users

meaning the user can drill up/down into any of these directories and make changes. You can't drill down into the Users home directores though, you'll get a permission denied message, well at least I did.

I've tested this enough to know that it works and I'd like to thank Brian Moore for letting me test it on his Server (have you changed your admin password yet?? ha ha )

The setting I describe here are the ones that are on my server, they may not all have to be this way.

 
Good Luck,

Craig

[Justin]

> This is scary in that if you want someone else to upload to
> your server then you have to give them your ADMIN password
> but if it's only for yourself it's great because you can
> access a good bit of your sever remotely.
>
> By FTPing in this way you expose the:
>
> - Ibays
> - Managers
> - Primary
> - Users
>

You also expose the root password to your server in plain text and send it across the Internet.

You may want to re-think this Craig. Have a look at Stunnel or WinSCP (even better) to do this.

Justin.

[Noah]

Craig Bursey wrote:

> - CREATE/SETUP YOUR IBAY
>
>   - Group:  Everyone
>   - User access via file sharing or user ftp:  Write = Group,
>     Read = Everyone(*)
>   - Public access via web or anonymous ftp: Entire Internet(No
>     password required)
...
> This is scary in that if you want someone else to upload to
> your server then you have to give them your ADMIN password
> but if it's only for yourself it's great because you can
> access a good bit of your sever remotely.

If you assign a group to an ibay, then members of the group can ftp into the ibay by using their own username and password.  You probably don't want to be giving out your Admin password!

>
> By FTPing in this way you expose the:
>
> - Ibays
> - Managers
> - Primary
> - Users

If you only want to restrict users to just the ibays, then you can change the DefaultRoot directory.  Simply edit the 05DefaultRoot template in the proftpd.conf direcotry (or create a custom template fragment in the custom template directory).  All you need to do is change /home/e-smith/files to /home/e-smith/files/ibays (i.e. just add /ibays to the end of the line).  When users ftp to your server, they will only see the list of ibays.  Simalarly, you could change the DefaultRoot to /users to limit access to the user directories.

Noah

[Frits]

It is working fine,

Thanx Noah, Justin, Craig Bursey and Alec,

but one question ftp://213.51.50.30 shows all te files why