[
https://issues.apache.org/jira/browse/FTPSERVER-467?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14340000#comment-14340000
]
Jeff MAURY commented on FTPSERVER-467:
--------------------------------------
According to your client code, the plain text message is sent in the same TCP
message as the START TLS message. So I don't think this is a case for injection
because TLS will be started after the TCP message (containing both START TLS
and text message) has been received. Or the server side should probably reject
the remaining part of the message when processing START TLS.
> plain text injection during initialization of encrypted channel
> ---------------------------------------------------------------
>
> Key: FTPSERVER-467
> URL: https://issues.apache.org/jira/browse/FTPSERVER-467
> Project: FtpServer
> Issue Type: Bug
> Reporter: alexander todorov
>
> Hi,
> We have plain text injection problem with mina 2.0.4 (It is reproducible with
> 2.0.9 as well).
> This is the problem
> The FTP client sends the commands:
> auth tls\r\nfeat
> and the feat command is executed.
> It became obvious, that the output was received encrypted. However, the
> command was sent unencrypted. In general, it is possible to inject commands
> in plain-text during the initialization of the encrypted
> channel. This can be abused for attacks against the user.
> All unencrypted commands that are send after “auth tls” must be ignored.
> Do you plan to fix this issue ?
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
