The JSCAPE Secure FTP Applet suffers from a man-in-the-middle vulnerability. JSCAPE software has been deployed in a wide array of industries including aerospace, banking, communications, education, insurance, finance, government and software. With customers in more than 50 countries worldwide the following is a small sample of companies who use JSCAPE products and services. Customers include Boeing, SUN, ISS, SAP - See http://www.jscape.com/clients.html for more details.
The JSCAPE Secure FTP Applet is a secure FTP client that runs within Java enabled web browsers. The software supports SFTP (FTP over SSH) and FTPS (FTP over SSL) for encrypted file transfer.
To prevent man-in-the-middle attacks it is important to check the authenticity of the destination server by verifying the host key of the
server when establishing the SSH connection. With previous versions of the JSCAPE Secure FTP applet it was not possible to verify the authenticity of the destination server.
When using affected versions of the JSCAPE secure FTP applet, users are not able to identify man-in-the-middle attacks. The supposedly secure connection is no longer secure. An attacker is able to eavesdrop on the connection in order to extract username and password or take over the initiated session.