The existence of bugs in Java and Python which allows attackers to circumvent firewall defenses.The main vulnerability has occurred because Java does not verify the syntax of user names in its FTP protocol.
The connection to FTP servers does support authentication, but Java’s XML eXternal Entity (XEE) does not check for the present of carriage returns (CR) or line feeds (LF) in usernames.
This, in turn, grants attackers the opportunity to terminate ‘user’ or ‘pass’ commands and inject new commands into the FTP session,alongside arbitrary SMTP commands, as well as connecting remotely to servers to send unauthorized email.
This attack is particularly interesting in a scenario where you can reach an (unrestricted, maybe not even spam- or malware-filtering) internal mail server from the machine doing the XML parsing. It even allows for sending attachments, since the URL length seems to be unrestricted and only limited by available RAM (parsing a 400MB long URL did take more than 32 GBs of RAM for some reason.
The vulnerability can also be exploited to parse malicious JNLP files, conduct man-in-the-middle (MiTM) attacks, or Server-Side Request Forgery (SSRF) campaigns.
The Java bug, also known as an FTP protocol injection flaw, “allows one to fool a victim’s firewall into allowing TCP connections from the Internet to the vulnerable host’s system on any “high” port (1024-65535).”
In the case of Java, the attack can be carried out against desktop PC users,even if they do not have the Java browser plugin enabled.A”nearly identical” bug also exists in Python’s urllib2 and urllib libraries. However, while the Java security flaw is not limited to attacks based on directory names listed in malicious URLs, the Python bug does appear to be limited in this manner.
When both enterprise players and the general public should disable classic mode FTP by default and says that applications should be audited to ascertain whether or not they are vulnerable to these attacks.