Java and Python have unpatched firewall-crossing FTP SNAFU • The Register
"Klink's demonstration showed how to send an SMTP e-mail in an FTP connection attempt (even though the FTP connection failed)."
'By way of mitigation, Morgan suggests disabling Java on desktops and in browsers; and disabling “classic mode” FTP on all firewalls. ®', "Stop us if you've heard this one: Java and Python have a bug you can exploit to cross firewalls.", "Klink's discovery was that Java's XML eXternal Entity (XEE) mishandles FTP connections, because it doesn't syntax-check the username Java passes to a server.", "Specifically, and should be rejected but aren't, allowing non-FTP commands to be injected into a connection request."
1 comment
0 u/derram 21 Feb 2017 19:06
https://archive.is/sQLJe | https://vgy.me/8XZQLa.png :
"Klink's demonstration showed how to send an SMTP e-mail in an FTP connection attempt (even though the FTP connection failed)."
'By way of mitigation, Morgan suggests disabling Java on desktops and in browsers; and disabling “classic mode” FTP on all firewalls. ®', "Stop us if you've heard this one: Java and Python have a bug you can exploit to cross firewalls.", "Klink's discovery was that Java's XML eXternal Entity (XEE) mishandles FTP connections, because it doesn't syntax-check the username Java passes to a server.", "Specifically, and should be rejected but aren't, allowing non-FTP commands to be injected into a connection request."
This has been an automated message.