Re: [JSch-users] Security hole in channels?

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 454-5900

Hi,

   +-From: Erwin Bolwidt <er...@kl...> --
   |_Date: Mon, 24 Mar 2003 14:19:15 +0100 __
   |
   |It seems that channel identifiers are mapped to channels using a
   |global mapping, independent of session. The ssh server can send a
   |CHANNEL_DATA packet for any channel, whether or not it belongs to
   |the current session, it seems (in Session.run()) So a malicious
   |server could inject data into connections to other servers by
   |simply trying channel identifiers starting with 1 and going up.
   |
   |But then in Session.disconnect(), all channels in the static
   |variable Channel.pool are closed. So that leads me to suspect that
   |only one Session to one ssh server is allowed at one time, since
   |when a session is disconnected, all channels are closed, including
   |those from other sessions.

You are right.  I have not been cared for establishing multiple sessions
simultaneously.  In those cases, channels should be managed independently
for each sessions.  I will fix this problem as soon as possible.

   |One more issue: it seems (in Session.run()) that CHANNEL_OPEN
   |requests from the ssh server are honored. The ssh client shouldn't
   |do that according to the ietf draft, for security reasons.

I will also fix this problem.

Thank you for feedbacks!
--
ymnk