mina-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Emmanuel Lecharny (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (FTPSERVER-467) plain text injection during initialization of encrypted channel
Date Tue, 24 Feb 2015 13:55:04 GMT

    [ https://issues.apache.org/jira/browse/FTPSERVER-467?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14334882#comment-14334882
] 

Emmanuel Lecharny commented on FTPSERVER-467:
---------------------------------------------

Moved the issue to the FtpServer JIRA, where it deserves to be.

> plain text injection during initialization of encrypted channel
> ---------------------------------------------------------------
>
>                 Key: FTPSERVER-467
>                 URL: https://issues.apache.org/jira/browse/FTPSERVER-467
>             Project: FtpServer
>          Issue Type: Bug
>            Reporter: alexander todorov
>
> Hi, 
> We have plain text injection problem with mina 2.0.4 (It is reproducible with 2.0.9 as
well).
> This is the problem
> The FTP client sends the commands:
> auth tls\r\nfeat
> and the feat command is executed.
> It became obvious, that the output was received encrypted. However, the command was sent
unencrypted. In general, it is possible to inject commands in plain-text during the initialization
of the encrypted 
> channel. This can be abused for attacks against the user.
> All unencrypted commands that are send after “auth tls” must be ignored.
> Do you plan to fix this issue ?



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message