[
https://issues.apache.org/jira/browse/NET-647?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16285733#comment-16285733
]
Sebb commented on NET-647:
--------------------------
Please never use a public issue tracker for raising what appears to be a
security issue.
Instead, follow the instructions at: http://commons.apache.org/security.html
(linked from the main Commons page).
Luckily, this is not a security issue.
==
NET is designed as a low-level interface to various protocols.
It does not generally sanitise input.
Callers must ensure that appropriate data is passed to the methods.
Also there may be legitimate reasons for passing CR or LF to certain commands.
Having said that, it might make sense to reject parameters containing the
sequence CRLF since that is the command terminator.
But further research is needed to establish whether there are any command
parameters that allow the sequence.
Apps using NET should ensure that the data they pass to it is valid.
> FTP Command Injection
> ----------------------
>
> Key: NET-647
> URL: https://issues.apache.org/jira/browse/NET-647
> Project: Commons Net
> Issue Type: Bug
> Components: FTP
> Affects Versions: 3.4, 3.5, 3.6
> Reporter: Toshitsugu Yoneyama
> Priority: Critical
> Labels: security
> Original Estimate: 168h
> Remaining Estimate: 168h
>
> Vulnerable program example(ftpClient.java)
> ---------------------------------------------------------
> private static final String username = "test"; // ftp user name
> private static final String password = "test"; // ftp user password
> FTPClient ftp = new FTPClient();
> FTPClientConfig config = new FTPClientConfig();
> ftp.configure(config);
> boolean error = false;
> try {
> int reply;
> String server = "localhost"; // terget ip address
> ftp.connect(server);
> System.out.println("Connected to " + server + ".");
> System.out.println(ftp.getReplyString());
> ftp.login(username, password);
>
> String path = "test" // <= FTP command injection.
> ftp.changeWorkingDirectory(path);
> ...(snip)...
> ---------------------------------------------------------
> It does not check path in changeWorkingDirectory().
> So I can inject to FTP Command and I can do "FTP Bounce Attack", OS command
> injection from SITE command, and up/download malicious file.
> For example:
> String path = "test\r\nNOOP" // <= FTP command injection.
> I suggest to this patch.
> [before]
> public boolean changeWorkingDirectory(String pathname) throws IOException {
> return FTPReply.isPositiveCompletion(cwd(pathname));
> }
> [aftter]
> public boolean changeWorkingDirectory(String pathname) throws IOException {
> String separator = "\r\n|[\n\r\u2028\u2029\u0085]";
> String paths[] = pathname.split(separator);
> return FTPReply.isPositiveCompletion(cwd(paths[0]));
> }
> Best regards,
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
