mina-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Eskindir Wondimu (JIRA)" <j...@apache.org>
Subject [jira] [Comment Edited] (FTPSERVER-467) plain text injection during initialization of encrypted channel
Date Fri, 03 Apr 2015 23:32:54 GMT

    [ https://issues.apache.org/jira/browse/FTPSERVER-467?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14395258#comment-14395258
] 

Eskindir Wondimu edited comment on FTPSERVER-467 at 4/3/15 11:32 PM:
---------------------------------------------------------------------

Looks that in DefaultFTPRequest.java parse() function parsing keeps parsing passed \r\n when
it should have stopped there hence the FTPRequest.getCommand eating as argument the next FTP
command. When "AUTH TLS" is received still the SSL has not started yet the server has yet
to send back 234 reply in plain text.


was (Author: eskindir):
Looks that in DefaultFTPRequest.java parse() function parsing keeps parsing passed \r\n when
it should have stopped there hence the FTPRequest.getCommand eating as argument the next FTP
command. When "AUTH TLS" still the SSL has not started yet the server has yet to send back
234 reply n plain text.

> plain text injection during initialization of encrypted channel
> ---------------------------------------------------------------
>
>                 Key: FTPSERVER-467
>                 URL: https://issues.apache.org/jira/browse/FTPSERVER-467
>             Project: FtpServer
>          Issue Type: Bug
>            Reporter: alexander todorov
>
> Hi, 
> We have plain text injection problem with mina 2.0.4 (It is reproducible with 2.0.9 as
well).
> This is the problem
> The FTP client sends the commands:
> auth tls\r\nfeat
> and the feat command is executed.
> It became obvious, that the output was received encrypted. However, the command was sent
unencrypted. In general, it is possible to inject commands in plain-text during the initialization
of the encrypted 
> channel. This can be abused for attacks against the user.
> All unencrypted commands that are send after “auth tls” must be ignored.
> Do you plan to fix this issue ?



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message