Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:17917
HistoryAug 29, 2007 - 12:00 a.m.

[Full-disclosure] Ipswitch FTP XSS leads to FTP server compromise

2007-08-2900:00:00
vulners.com
29
JSON

VDA Labs Advisory:

Ipswitch FTP XSS leads to FTP server compromise. The Vendor has been
notified, and given the PoC.

Synopsis:

There is XSS vulnerability when the WS_FTP server logs client FTP
commands. All user commands are logged. When the FTP command is invalid
(error), special characters are converted to HTML chars (< = &lt;, > =
&gt;), and logged. However, when the FTP command is valid, there is no
sanity check. Thus, it is possible to inject HTML and Javascript into
the log file.

The WS_FTP administration interface (IIS web application written in ASP)
has a view log option. When logs are viewed, it is possible to steal
the administrator cookie, or even better, DIRECTLY create a new user (or
admin) account for FTP server.

We've created a little PoC that will create a new system administrator
account when the admin view logs. The PoC is simple and injects an
<iframe> that leads to another html file that creates the new account.

Discovered by:

John Harwold, VDA Labs, LLC

Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

JSON