[
https://issues.apache.org/jira/browse/FTPSERVER-467?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14395258#comment-14395258
]
Eskindir Wondimu commented on FTPSERVER-467:
--------------------------------------------
Looks that in DefaultFTPRequest.java parse() function parsing keeps parsing
passed \r\n when it should have stopped there hence the FTPRequest.getCommand
eating as argument the next FTP command. When "AUTH TLS" still the SSL has not
started yet the server has yet to send back 234 reply n plain text.
> plain text injection during initialization of encrypted channel
> ---------------------------------------------------------------
>
> Key: FTPSERVER-467
> URL: https://issues.apache.org/jira/browse/FTPSERVER-467
> Project: FtpServer
> Issue Type: Bug
> Reporter: alexander todorov
>
> Hi,
> We have plain text injection problem with mina 2.0.4 (It is reproducible with
> 2.0.9 as well).
> This is the problem
> The FTP client sends the commands:
> auth tls\r\nfeat
> and the feat command is executed.
> It became obvious, that the output was received encrypted. However, the
> command was sent unencrypted. In general, it is possible to inject commands
> in plain-text during the initialization of the encrypted
> channel. This can be abused for attacks against the user.
> All unencrypted commands that are send after “auth tls” must be ignored.
> Do you plan to fix this issue ?
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
