You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@mina.apache.org by "alexander todorov (JIRA)" <ji...@apache.org> on 2015/02/24 14:28:04 UTC

[jira] [Created] (FTPSERVER-466) plain text injection problem

alexander todorov created FTPSERVER-466:
-------------------------------------------

             Summary: plain text injection problem 
                 Key: FTPSERVER-466
                 URL: https://issues.apache.org/jira/browse/FTPSERVER-466
             Project: FtpServer
          Issue Type: Bug
            Reporter: alexander todorov


Hi, 
We have plain text injection problem with mina 2.0.4 (It is reproducible with 2.0.9 as well).
This is the problem
The FTP client sends the commands:
auth tls\r\nfeat
and the feat command is executed on our FTP server.
It became obvious, that the output was received encrypted. However, the command “feat” was sent unencrypted. In general, it is possible to inject commands in plain-text during the initialization of the encrypted channel. This can be abused for attacks against the user.
All unencrypted commands that are send after “auth tls” must be ignored.
The problem is that the classes from mina-core.jar that are parsing the commands are passing the commands as plain text to our FTP server and the FTP server does not know if the command is received as plain text or via SSL.If the FTP server has the knowledge if a certain command is received via SSL or not it can easy cut all plaint text commands that are sent immediately after AUTH TLS.

Here is the stack trace:
Our_FeatCommand(StAbstractCommand).execute(FtpIoSession, FtpServerContext, FtpRequest) line: 65	
Our_Custom_FtpHandler.messageReceived(FtpIoSession, FtpRequest) line: 288	
Our_Custom_FtpHandlerAdapter.messageReceived(IoSession, Object) line: 69 // HERE THE SECOND PARAMETER IS A STRING “FEAT”.IF IT IS AN OBJECT THAT CONTAINS INFORMATION WHETHER THE COMMAND IS RECEIVED VIA SSL WE CAN EASY IGNORE THE COMMAND IF IT IS RECEIVED AS A PLAIN TEXT AFTER “AUTH TLS” IS ALREADY RECEIVED.
	
DefaultIoFilterChain$TailFilter.messageReceived(IoFilter$NextFilter, IoSession, Object) line: 716	
DefaultIoFilterChain.callNextMessageReceived(IoFilterChain$Entry, IoSession, Object) line: 434	
DefaultIoFilterChain.access$5(DefaultIoFilterChain, IoFilterChain$Entry, IoSession, Object) line: 429	
DefaultIoFilterChain$EntryImpl$1.messageReceived(IoSession, Object) line: 796	
ProtocolCodecFilter$ProtocolDecoderOutputImpl.flush(IoFilter$NextFilter, IoSession) line: 467	
ProtocolCodecFilter.messageReceived(IoFilter$NextFilter, IoSession, Object) line: 285
DefaultIoFilterChain.callNextMessageReceived(IoFilterChain$Entry, IoSession, Object) line: 434	
DefaultIoFilterChain.access$5(DefaultIoFilterChain, IoFilterChain$Entry, IoSession, Object) line: 429	
DefaultIoFilterChain$EntryImpl$1.messageReceived(IoSession, Object) line: 796	
IoFilterEvent.fire() line: 75	
IoFilterEvent(IoEvent).run() line: 63	
OrderedThreadPoolExecutor$Worker.runTask(Runnable) line: 780	
OrderedThreadPoolExecutor$Worker.runTasks(OrderedThreadPoolExecutor$SessionTasksQueue) line: 772	
OrderedThreadPoolExecutor$Worker.run() line: 714	
Thread.run() line: not available




--
This message was sent by Atlassian JIRA
(v6.3.4#6332)