FTP Command Injection

Vulnerable program example(ftpClient.java)
---------------------------------------------------------
private static final String username = "test"; // ftp user name
private static final String password = "test"; // ftp user password

FTPClient ftp = new FTPClient();
FTPClientConfig config = new FTPClientConfig();

ftp.configure(config);
boolean error = false;

try {
int reply;
String server = "localhost"; // terget ip address
ftp.connect(server);
System.out.println("Connected to " + server + ".");
System.out.println(ftp.getReplyString());

ftp.login(username, password);

String path = "test" // <= FTP command injection.
ftp.changeWorkingDirectory(path);
...(snip)...
---------------------------------------------------------

It does not check path in changeWorkingDirectory().
So I can inject to FTP Command and I can do "FTP Bounce Attack", OS command injection from SITE command, and up/download malicious file.

For example:
String path = "test\r\nNOOP" // <= FTP command injection.

I suggest to this patch.

[before]
public boolean changeWorkingDirectory(String pathname) throws IOException

{ return FTPReply.isPositiveCompletion(cwd(pathname)); }

[aftter]
public boolean changeWorkingDirectory(String pathname) throws IOException

{ String separator = "\r\n|[\n\r\u2028\u2029\u0085]"; String paths[] = pathname.split(separator); return FTPReply.isPositiveCompletion(cwd(paths[0])); }

Best regards,