alexander todorov created DIRMINA-1007:
------------------------------------------
Summary: plain text injection during initialization of encrypted
channel
Key: DIRMINA-1007
URL: https://issues.apache.org/jira/browse/DIRMINA-1007
Project: MINA
Issue Type: Bug
Reporter: alexander todorov
Hi,
We have plain text injection problem with mina 2.0.4 (It is reproducible with
2.0.9 as well).
This is the problem
The FTP client sends the commands:
auth tls\r\nfeat
and the feat command is executed.
It became obvious, that the output was received encrypted. However, the command
was sent unencrypted. In general, it is possible to inject commands in
plain-text during the initialization of the encrypted
channel. This can be abused for attacks against the user.
All unencrypted commands that are send after “auth tls” must be ignored.
Do you plan to fix this issue ?
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
