[ https://issues.apache.org/jira/browse/FTPSERVER-487?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Jonathan Valliere resolved FTPSERVER-487. ----------------------------------------- Resolution: Fixed Resolved in FTPSERVER-485 > Timing Side Channel SaltedPasswordEncryptor.encrypt(String password, String > salt) > --------------------------------------------------------------------------------- > > Key: FTPSERVER-487 > URL: https://issues.apache.org/jira/browse/FTPSERVER-487 > Project: FtpServer > Issue Type: Bug > Components: Core > Affects Versions: 1.1.1 > Environment: tested on macOS High Sierra 10.13.4, but it is not > relevant > Reporter: Yannic Noller > Priority: Major > Labels: security > > Dear Apache FTPServer developers, > We have found a timing side-channel in class > org.apache.ftpserver.usermanager.SaltedPasswordEncryptor, method "private > String encrypt(String password, String salt)". This encryption method leaks > information about the salt. The processing time in this method differs for > different salt values. Therefore, a potential attacker could retrieve > information about the generated salt, which is imporant to guess the stored > password. > Do you agree with our findings? > We identified this side-channel after fixing the one mentioned in: > [FTPSERVER-485|https://issues.apache.org/jira/browse/FTPSERVER-485] > Please feel free to contact us for further clarification! You can reach us by > the following email address: yannic.nol...@informatik.hu-berlin.de > Best regards, > Yannic Noller -- This message was sent by Atlassian JIRA (v7.6.3#76005)