Details
-
Improvement
-
Status: Open
-
Major
-
Resolution: Unresolved
-
3.4, 3.5, 3.6
-
None
-
None
Description
Vulnerable program example(ftpClient.java)
---------------------------------------------------------
private static final String username = "test"; // ftp user name
private static final String password = "test"; // ftp user password
FTPClient ftp = new FTPClient();
FTPClientConfig config = new FTPClientConfig();
ftp.configure(config);
boolean error = false;
try {
int reply;
String server = "localhost"; // terget ip address
ftp.connect(server);
System.out.println("Connected to " + server + ".");
System.out.println(ftp.getReplyString());
ftp.login(username, password);
String path = "test" // <= FTP command injection.
ftp.changeWorkingDirectory(path);
...(snip)...
---------------------------------------------------------
It does not check path in changeWorkingDirectory().
So I can inject to FTP Command and I can do "FTP Bounce Attack", OS command injection from SITE command, and up/download malicious file.
For example:
String path = "test\r\nNOOP" // <= FTP command injection.
I suggest to this patch.
[before]
public boolean changeWorkingDirectory(String pathname) throws IOException
[aftter]
public boolean changeWorkingDirectory(String pathname) throws IOException
Best regards,