[
https://issues.apache.org/jira/browse/DIRMINA-1007?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14333381#comment-14333381
]
alexander todorov commented on DIRMINA-1007:
--------------------------------------------
I will send sample code but I think that the problem is in the mina code (not
in the ftp server code) since mina is responsible for parsing of the commands
and sending them to the server and when the "FEAT" command reaches the server
there is no information if the command was sent as plain text or encoded.
> plain text injection during initialization of encrypted channel
> ---------------------------------------------------------------
>
> Key: DIRMINA-1007
> URL: https://issues.apache.org/jira/browse/DIRMINA-1007
> Project: MINA
> Issue Type: Bug
> Reporter: alexander todorov
>
> Hi,
> We have plain text injection problem with mina 2.0.4 (It is reproducible with
> 2.0.9 as well).
> This is the problem
> The FTP client sends the commands:
> auth tls\r\nfeat
> and the feat command is executed.
> It became obvious, that the output was received encrypted. However, the
> command was sent unencrypted. In general, it is possible to inject commands
> in plain-text during the initialization of the encrypted
> channel. This can be abused for attacks against the user.
> All unencrypted commands that are send after “auth tls” must be ignored.
> Do you plan to fix this issue ?
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
