vsftpd - major quirks with IE

[nokesc]

I'm running Suse 10.1 with vsftpd as a public ftp server. Anonymous support is turned off. I'm noticing some bizzare stuff with Internet Explorer. When I login with ftp://userass@whatever.com it will drop me to the root directory '/' which should absolutely NOT be happening. The strange thing is in Firefox it works perfect. It opens the users home directory specified in /etc/passwd. Also if I use the command line or some other ftp client it works correctly. I have no idea what is up with Internet Explorer ... any ideas? Am I missing something?

[jazap]

are you running exploder 7.0? you might have to go to the page menu-> open FTP site in Windows Explorer. (after signing in the first time, and yes it will prompt for you to sign in again, funtastic)

IE7 is special like that...

Also on another note, if you go to tools, and internet options, and the advanced tab, there's a setting in the list that says "Enable FTP folder view (outside of internet explorer)"
Uncheck this and IE7 will act like IE6 did with FTP sites

[nokesc]

The strange thing is that anonymous ftp is off but even after playing with those options IE7 will show the server root directory / and is acting as if I'm using anonymous ftp ... it completely ignores the username and password ... it does work with 'Page' -> 'ftp open with Windows explorer' ... WTF!? Microsoft!!! ... but vsftpd should not even be sending '/' directory info

[HROAdmin26]

If the account being used has rights to access / via FTP, then that is what you need to fix.

IE cannot magically display some part of your server that it doesn't have access to.

If this is the case, then IE has saved you by pointing out this flaw in your design. If the user has an account in /etc/passwd, then they will have those same user rights to the normal filesystem unless they are jailed/chroot'ed.

[nokesc]

That is what you would think ... but I discovered ftp://ip even without any login info it will display the root level directory. You can click through the directories but are not able to download files ... so it's like you have some 'view access' of the directory structure but not even 'read only' (... now keep in mind Firefox does not have this problem, it will NOT allow you to see anything with ftp://ip without username and password ... in other words firefox works as expected and IE does not, anonymous ftp is turned off ... if you use a command line ftp it will not accept anonymous I just have no idea how IE is doing this ... it's a serious security flaw with either vsftpd or IE or both ... wtf

[HROAdmin26]

Again, IE is not "hacking your server" and getting access to something that it shouldn't.

IE is much more integrated with the OS (than other browsers) and could be passing credentials from the currently logged in user. IE7 may even be "worse" than previous IE's about this (I don't know for sure, as I've steered clear of it.)

Are you logged into Windows with a username/pass that happens to be the same pair you use on your Linux machine? Maybe create a dummy account on your Windows machine (Bob/test936), log in, and try the FTP client in IE. Have you had anyone else test it?

[nokesc]

Unforetunately no I'm not using a username / pass that matches anything on the linux box ... I've tested this from 3 different machines @ my shop, mine @ home and another @ my client's (where the server is @) ... I agree IE shouldn't be able to see anything that vsftp does give it ... I guess that brings up the question why is vsftp handing the root directory listing off ... I swear I'm not an idiot, I've set this kind of thing up on several Fedora boxes @ my other clients with no problem ... this time I decided to go with Suse ... bad idea I guess

[felipe1982]

give us a GZIPPED copy of your vsftpd.conf file (include EVERYTHING!)

[nokesc]

I commented this line out in the vsftpd.cfg ...

#anon_world_readable_only=YES

now it works correctly ... odd because anonymous is turned off ... you would think that if anon access is off then this line wouldn't be relevant ... oh well whatever ...

it still doesn't explain why firefox works as expected and ie doesn't ... oh yes it does, ie sucks