Problem

Is SecureTransport server vulnerable to "FTP Service AUTH TLS Plaintext Command Injection" - CVE-2011-0411

Resolution

FTP Service AUTH TLS Plaintext Command Injection is a mechanism to inject a command during the plain text protocol phase that will be executed during the encrypted protocol phase.

This issue was only officially reported for the SMTP protocol which is not used by SecureTransport server.

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0411

Although the same method can be used for the FTP protocol, an attacker can at most execute commands that don't require authentication (FEAT, QUIT, OPTS). The execution of such commands can not lead to a security issue.

Still the above is a deviation from RFC 2228 and more precisely:
"The AUTH command, if accepted, removes any state associated with prior FTP Security commands."

Although Axway currently does not recognize that as security vulnerability, the above deviation from the protocol RFC is fixed in Service Pack 5 for SecureTransport version 5.2.1.