Stop us if you’ve heard this one: Java and Python have a bug you can exploit to cross firewalls. Since neither are yet patched, it might be a good day to nag your developers for a bit. The Java vulnerability means protocol injection through its FTP implementation can fool a firewall into allowing TCP connections from the Internet to hosts on the inside. That’s explained in rather more detail in two documents: this, by Alexander Klink, and this, by Blindspot Security’s Timothy Morgan. Klink’s discovery was that Java’s XML eXternal Entity (XEE) mishandles FTP connections, because it doesn’t syntax-check the username Java passes to a server. Specifically, cr and lf should be rejected but aren’t, allowing non-FTP commands to be injected into a connection request. Klink’s demonstration showed how to send an SMTP e-mail in an FTP connection attempt (even though the FTP connection failed).
View full story
ORIGINAL SOURCE: The Register