Details
-
Bug
-
Status: Open
-
Major
-
Resolution: Unresolved
-
1.1.1
-
test on macOS High Sierra 10.13.4, but not relevant
-
Important
Description
Dear Apache FTPServer developers,
We have found a timing side-channel in class org.apache.ftpserver.util.StringUtils, method "public final static String pad(String src, char padChar, boolean rightPad, int totalLength)". This method leaks the necessary padding in a timing side channel, from which a potential attacker could obtain the length of the src String. In your project this method is used to add padding to a username, hence, a potential attacker could obtain the length of a given username, which might be used for further attacks.
Do you agree with our findings?
We found this class in the latest version of your git repo: https://git-wip-us.apache.org/repos/asf?p=mina-ftpserver.git;a=summary
As a secure fix we would recommend to use a variant of the equals method, which does iterate the complete strings in the case of the same string lengths, independent from whether they do match or not:
public final static String pad_safe(String src, char padChar, boolean rightPad, int totalLength) {
int srcLength = src.length();
if (srcLength >= totalLength)
int padLength = totalLength - srcLength;
StringBuilder sb = new StringBuilder(padLength);
for (int i = 0; i < totalLength; ++i) {
if (i < padLength)
else
{ sb.append(""); }}
if (rightPad)
{ return src + sb.toString(); }else
{ return sb.toString() + src; }}
Do you agree with our patch proposal?
Please feel free to contact us for further clarification! You can reach us by the following email address:
yannic.noller@informatik.hu-berlin.de
Best regards,
Yannic Noller
