FXP Security Issues

My hosting company runs PROFTPD software, which will support foreign connections. However, they have it disabled. The second level folks that I talked to seemed to be willing to consider enabling it, if I could demonstrate that there was not a big security issue. (The PROFTPD manual cites rfc2577 as the reason for the big security issue.)

The main problem seems to be a "bounce" attack.

Can anybody with SmartFTP write something definitive, that either illustrates that FXP does carry a substantial security opening, or why it does not?

Your assistance will be appreciated across the globe.

For premium support please post your license key (without signature) or buy one at
https://www.smartftp.com/buy.php

Thank you.

Hello ...

It's a security risk. But we cannot estimate the risk in your situation. It's up to your hosting company. You can check whether other big hosters have it enabled or not. It may be a good reference.

It seems to me that a bounce attack is
A) only a threat to the target of the attack, which is not the FTP platform from through which it is launched.
that rfc2577 is more concerned about anonymous FTP allowing 'hard to trace' bounce attacks.
C) therefore FXP is NOT a security threat to the host, and
D) therefore if only enabled when not anonymous, the complaint of being 'hard to trace' is moot.

but all this is just suppositions, because I don't really have a good FTP foundation.

Is there someone out there that can address this issue definitively?

Support staff, is it okay for others to cross post this question on non-SmartFTP sites, in an attempt to get a real answer - and maybe get FXP turned on at lots of sites. My host has over a million sites, and they don't have answers to these questions. How many hosts are in a similar spot - installing the default values on their FTP servers which leave FXP off for potentially moot reasons.

THANKS