The Java and Python runtimes fail to properly validate FTP URLs, which can potentially allow attackers to punch holes through firewalls to access local networks.
On Saturday, security researcher Alexander Klink disclosed an interesting attack where exploiting an XXE (XML External Entity) vulnerability in a Java application can be used to send emails.
XXE vulnerabilities can be exploited by tricking applications to parse specially crafted XML files that would force the XML parser to disclose sensitive information such as files, directory listings, or even information about processes running on the server.
Klink showed that the same type of vulnerabilities can be used to trick the Java runtime to initiate FTP connections to remote servers by feeding it FTP URLs in the form of ftp://user:[email protected]:port/file.ext.
Read more here:: IT news – Security