Re: [JSch-users] Security hole in channels?
Status: Alpha
Brought to you by:
ymnk
From: <ym...@jc...> - 2003-03-24 14:18:02
|
Hi, +-From: Erwin Bolwidt <er...@kl...> -- |_Date: Mon, 24 Mar 2003 14:19:15 +0100 __ | |It seems that channel identifiers are mapped to channels using a |global mapping, independent of session. The ssh server can send a |CHANNEL_DATA packet for any channel, whether or not it belongs to |the current session, it seems (in Session.run()) So a malicious |server could inject data into connections to other servers by |simply trying channel identifiers starting with 1 and going up. | |But then in Session.disconnect(), all channels in the static |variable Channel.pool are closed. So that leads me to suspect that |only one Session to one ssh server is allowed at one time, since |when a session is disconnected, all channels are closed, including |those from other sessions. You are right. I have not been cared for establishing multiple sessions simultaneously. In those cases, channels should be managed independently for each sessions. I will fix this problem as soon as possible. |One more issue: it seems (in Session.run()) that CHANNEL_OPEN |requests from the ssh server are honored. The ssh client shouldn't |do that according to the ietf draft, for security reasons. I will also fix this problem. Thank you for feedbacks! -- ymnk |