[
https://issues.apache.org/jira/browse/DIRMINA-1007?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14334874#comment-14334874
]
alexander todorov commented on DIRMINA-1007:
--------------------------------------------
Just one last clarification.
>From what I see the classes that are parsing the commands (TextLineDecoder)
>and that are calling our FTP server handler are in mina-core.jar.
Here is the stack trace:
Our_FeatCommand(StAbstractCommand).execute(FtpIoSession, FtpServerContext,
FtpRequest) line: 65
Our_Custom_FtpHandler.messageReceived(FtpIoSession, FtpRequest) line: 288
Our_Custom_FtpHandlerAdapter.messageReceived(IoSession, Object) line: 69 //
HERE THE SECOND PARAMETER IS A STRING “FEAT”.IF IT IS AN OBJECT THAT CONTAINS
INFORMATION WHETHER THE COMMAND IS RECEIVED VIA SSL WE CAN EASY IGNORE THE
COMMAND IF IT IS RECEIVED AS A PLAIN TEXT AFTER “AUTH TLS” IS ALREADY RECEIVED.
DefaultIoFilterChain$TailFilter.messageReceived(IoFilter$NextFilter, IoSession,
Object) line: 716
DefaultIoFilterChain.callNextMessageReceived(IoFilterChain$Entry, IoSession,
Object) line: 434
DefaultIoFilterChain.access$5(DefaultIoFilterChain, IoFilterChain$Entry,
IoSession, Object) line: 429
DefaultIoFilterChain$EntryImpl$1.messageReceived(IoSession, Object) line: 796
ProtocolCodecFilter$ProtocolDecoderOutputImpl.flush(IoFilter$NextFilter,
IoSession) line: 467
ProtocolCodecFilter.messageReceived(IoFilter$NextFilter, IoSession, Object)
line: 285
DefaultIoFilterChain.callNextMessageReceived(IoFilterChain$Entry, IoSession,
Object) line: 434
DefaultIoFilterChain.access$5(DefaultIoFilterChain, IoFilterChain$Entry,
IoSession, Object) line: 429
DefaultIoFilterChain$EntryImpl$1.messageReceived(IoSession, Object) line: 796
IoFilterEvent.fire() line: 75
IoFilterEvent(IoEvent).run() line: 63
I think that the solution is to change the classes from this stack trace to
pass to our ftp server an object that contains the ftp command and information
if the command is received via ssl.The SSL filter class also should be changed
a little to put the information that the command is received via SSL.
> plain text injection during initialization of encrypted channel
> ---------------------------------------------------------------
>
> Key: DIRMINA-1007
> URL: https://issues.apache.org/jira/browse/DIRMINA-1007
> Project: MINA
> Issue Type: Bug
> Reporter: alexander todorov
>
> Hi,
> We have plain text injection problem with mina 2.0.4 (It is reproducible with
> 2.0.9 as well).
> This is the problem
> The FTP client sends the commands:
> auth tls\r\nfeat
> and the feat command is executed.
> It became obvious, that the output was received encrypted. However, the
> command was sent unencrypted. In general, it is possible to inject commands
> in plain-text during the initialization of the encrypted
> channel. This can be abused for attacks against the user.
> All unencrypted commands that are send after “auth tls” must be ignored.
> Do you plan to fix this issue ?
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
