mina-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Eskindir Wondimu (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (FTPSERVER-467) plain text injection during initialization of encrypted channel
Date Fri, 03 Apr 2015 23:29:55 GMT

    [ https://issues.apache.org/jira/browse/FTPSERVER-467?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14395258#comment-14395258

Eskindir Wondimu commented on FTPSERVER-467:

Looks that in DefaultFTPRequest.java parse() function parsing keeps parsing passed \r\n when
it should have stopped there hence the FTPRequest.getCommand eating as argument the next FTP
command. When "AUTH TLS" still the SSL has not started yet the server has yet to send back
234 reply n plain text.

> plain text injection during initialization of encrypted channel
> ---------------------------------------------------------------
>                 Key: FTPSERVER-467
>                 URL: https://issues.apache.org/jira/browse/FTPSERVER-467
>             Project: FtpServer
>          Issue Type: Bug
>            Reporter: alexander todorov
> Hi, 
> We have plain text injection problem with mina 2.0.4 (It is reproducible with 2.0.9 as
> This is the problem
> The FTP client sends the commands:
> auth tls\r\nfeat
> and the feat command is executed.
> It became obvious, that the output was received encrypted. However, the command was sent
unencrypted. In general, it is possible to inject commands in plain-text during the initialization
of the encrypted 
> channel. This can be abused for attacks against the user.
> All unencrypted commands that are send after “auth tls” must be ignored.
> Do you plan to fix this issue ?

This message was sent by Atlassian JIRA

View raw message