[ https://issues.apache.org/jira/browse/DIRMINA-1007?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14330106#comment-14330106 ]
Jeff MAURY commented on DIRMINA-1007: ------------------------------------- Can you give code sample or logs ? > plain text injection during initialization of encrypted channel > --------------------------------------------------------------- > > Key: DIRMINA-1007 > URL: https://issues.apache.org/jira/browse/DIRMINA-1007 > Project: MINA > Issue Type: Bug > Reporter: alexander todorov > > Hi, > We have plain text injection problem with mina 2.0.4 (It is reproducible with > 2.0.9 as well). > This is the problem > The FTP client sends the commands: > auth tls\r\nfeat > and the feat command is executed. > It became obvious, that the output was received encrypted. However, the > command was sent unencrypted. In general, it is possible to inject commands > in plain-text during the initialization of the encrypted > channel. This can be abused for attacks against the user. > All unencrypted commands that are send after “auth tls” must be ignored. > Do you plan to fix this issue ? -- This message was sent by Atlassian JIRA (v6.3.4#6332)