Toshitsugu Yoneyama created NET-647:
---------------------------------------
Summary: FTP Command Injection
Key: NET-647
URL: https://issues.apache.org/jira/browse/NET-647
Project: Commons Net
Issue Type: Bug
Components: FTP
Affects Versions: 3.6, 3.5, 3.4
Environment: Vulnerable program example(ftpClient.java)
---------------------------------------------------------
private static final String username = "test"; // ftp user name
private static final String password = "test"; // ftp user password
FTPClient ftp = new FTPClient();
FTPClientConfig config = new FTPClientConfig();
ftp.configure(config);
boolean error = false;
try {
int reply;
String server = "localhost"; // terget ip address
ftp.connect(server);
System.out.println("Connected to " + server + ".");
System.out.println(ftp.getReplyString());
ftp.login(username, password);
String path = "test" // <= FTP command injection.
ftp.changeWorkingDirectory(path);
...(snip)...
---------------------------------------------------------
Reporter: Toshitsugu Yoneyama
Priority: Critical
It does not check path in changeWorkingDirectory().
So I can inject to FTP Command and I can do "FTP Bounce Attack", OS command
injection from SITE command, and up/download malicious file.
For example:
String path = "test\r\nNOOP" // <= FTP command injection.
I suggest to this patch.
[before]
public boolean changeWorkingDirectory(String pathname) throws IOException {
return FTPReply.isPositiveCompletion(cwd(pathname));
}
[aftter]
public boolean changeWorkingDirectory(String pathname) throws IOException {
String separator = "\r\n|[\n\r\u2028\u2029\u0085]";
String paths[] = pathname.split(separator);
return FTPReply.isPositiveCompletion(cwd(paths[0]));
}
Best regards,
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
