FTP Client vulnerable to PASV port scanning/banner disclosure
The FTP client trusts the IP submitted by the FTP server in the PASV command. As a result, this can lead to tcp port scanning and network service banner disclosure
One solution would be to provide an option to ignore the PASV IP and just use the IP already used to establish the control channel with the server. Ideally, the default value of this option would be to ignore the IP provided in the PASV command.
For reference, based on the current implementation, it's possible to differentiate between open/closed-filtered ports by looking at the client's response following the PASV command. If the client closes the control channel then the port was closed, otherwise the client will follow up with TYPE command which indicates that the port was open.