alexander todorov created FTPSERVER-466:
-------------------------------------------
Summary: plain text injection problem
Key: FTPSERVER-466
URL: https://issues.apache.org/jira/browse/FTPSERVER-466
Project: FtpServer
Issue Type: Bug
Reporter: alexander todorov
Hi,
We have plain text injection problem with mina 2.0.4 (It is reproducible with
2.0.9 as well).
This is the problem
The FTP client sends the commands:
auth tls\r\nfeat
and the feat command is executed on our FTP server.
It became obvious, that the output was received encrypted. However, the command
“feat” was sent unencrypted. In general, it is possible to inject commands in
plain-text during the initialization of the encrypted channel. This can be
abused for attacks against the user.
All unencrypted commands that are send after “auth tls” must be ignored.
The problem is that the classes from mina-core.jar that are parsing the
commands are passing the commands as plain text to our FTP server and the FTP
server does not know if the command is received as plain text or via SSL.If the
FTP server has the knowledge if a certain command is received via SSL or not it
can easy cut all plaint text commands that are sent immediately after AUTH TLS.
Here is the stack trace:
Our_FeatCommand(StAbstractCommand).execute(FtpIoSession, FtpServerContext,
FtpRequest) line: 65
Our_Custom_FtpHandler.messageReceived(FtpIoSession, FtpRequest) line: 288
Our_Custom_FtpHandlerAdapter.messageReceived(IoSession, Object) line: 69 //
HERE THE SECOND PARAMETER IS A STRING “FEAT”.IF IT IS AN OBJECT THAT CONTAINS
INFORMATION WHETHER THE COMMAND IS RECEIVED VIA SSL WE CAN EASY IGNORE THE
COMMAND IF IT IS RECEIVED AS A PLAIN TEXT AFTER “AUTH TLS” IS ALREADY RECEIVED.
DefaultIoFilterChain$TailFilter.messageReceived(IoFilter$NextFilter, IoSession,
Object) line: 716
DefaultIoFilterChain.callNextMessageReceived(IoFilterChain$Entry, IoSession,
Object) line: 434
DefaultIoFilterChain.access$5(DefaultIoFilterChain, IoFilterChain$Entry,
IoSession, Object) line: 429
DefaultIoFilterChain$EntryImpl$1.messageReceived(IoSession, Object) line: 796
ProtocolCodecFilter$ProtocolDecoderOutputImpl.flush(IoFilter$NextFilter,
IoSession) line: 467
ProtocolCodecFilter.messageReceived(IoFilter$NextFilter, IoSession, Object)
line: 285
DefaultIoFilterChain.callNextMessageReceived(IoFilterChain$Entry, IoSession,
Object) line: 434
DefaultIoFilterChain.access$5(DefaultIoFilterChain, IoFilterChain$Entry,
IoSession, Object) line: 429
DefaultIoFilterChain$EntryImpl$1.messageReceived(IoSession, Object) line: 796
IoFilterEvent.fire() line: 75
IoFilterEvent(IoEvent).run() line: 63
OrderedThreadPoolExecutor$Worker.runTask(Runnable) line: 780
OrderedThreadPoolExecutor$Worker.runTasks(OrderedThreadPoolExecutor$SessionTasksQueue)
line: 772
OrderedThreadPoolExecutor$Worker.run() line: 714
Thread.run() line: not available
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
