Details
Description
Dear Apache FTPServer developers,
We have found a timing side-channel in class org.apache.ftpserver.usermanager.SaltedPasswordEncryptor, method "private String encrypt(String password, String salt)". This encryption method leaks information about the salt. The processing time in this method differs for different salt values. Therefore, a potential attacker could retrieve information about the generated salt, which is imporant to guess the stored password.
Do you agree with our findings?
We identified this side-channel after fixing the one mentioned in:
FTPSERVER-485
Please feel free to contact us for further clarification! You can reach us by the following email address: yannic.noller@informatik.hu-berlin.de
Best regards,
Yannic Noller