Bug 3624 – Plaintext command injection in FTPS support

Bug 3624 - Plaintext command injection in FTPS support

Summary:

Plaintext command injection in FTPS support

Status:	CLOSED FIXED

Product:	ProFTPD
Component:	mod_tls
Version:	1.3.3
Platform:	All All

Importance:	P2 critical
Assigned To:	TJ Saunders

URL:
Keywords:	Backport

Depends on:
Blocks:
	Show dependency tree / graph

Reported:	2011-03-21 16:46 UTC by TJ Saunders
Modified:	2021-03-04 06:06 UTC (History)
CC List:	6 users (show)

See Also:

Attachments
Fixes bug (1.58 KB, patch) 2011-03-21 16:49 UTC, TJ Saunders	Details
Additional patch (1.05 KB, patch) 2011-03-22 10:54 UTC, TJ Saunders	Details
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description TJ Saunders 2011-03-21 16:46:04 UTC

The mod_tls module is vulnerable to the same vulnerability as discussed here:

  http://www.postfix.org/CVE-2011-0411.html

Comment 1 TJ Saunders 2011-03-21 16:49:28 UTC

Created attachment 3586 [details]
Fixes bug

This patch fixes the issue by causing mod_tls to clear the buffers of any data
received from the client, once the SSL/TLS handshake has succeeded.

Comment 2 TJ Saunders 2011-03-21 17:26:03 UTC

Patch committed to CVS, and backported to 1.3.3 branch.

Comment 3 TJ Saunders 2011-03-22 10:54:43 UTC

Created attachment 3589 [details]
Additional patch

This patch is also necessary.  It builds on the first patch, and protects
against segfaults due to a possibly NULL pointer.

Comment 4 TJ Saunders 2011-04-06 03:56:32 UTC

Resolved in 1.3.4rc2.

Comment 5 TJ Saunders 2021-03-04 06:06:24 UTC

Looks like this is also known as CVE-2011-1575 (same attack, different STARTTLS
protocol):
  https://www.cvedetails.com/cve/CVE-2011-1575/