Jun 1, 2010

Wing FTP Server - Cross Site Scripting Vulnerability

The Wing FTP Server was found to be vulnerable to Cross Site Scripting(XSS) vulnerability, which could be exploited using malicious scripts.

Discovered Date: May 31, 2010
System affected: Wing FTP Server for Windows, Version 3.5.0 and prior version
Discovered by: w01f

Vulnerability Description:
==================
Wing FTP server is a multi-protocol file server, which support such as HTTP and FTP. It comes with a Web-based "Administrator" Console. The XSS vulnerability is found in the "Administrator" Web interface . It is accessible using the server IP with default port 5366 (Eg. http://192.168.0.1:5466). Script can be injected to the "POST" command. This can be exploited by injecting arbitrary HTML and malicious script code, which will execute in a user's browser session.

Vulnerability testing:
===============
Vulnerable URL: http://192.168.41.137:5466/admin_loginok.html
Tested with: Firefox 3.5 and Internet Explorer 7 on Windows XP SP3
with Web proxy

In the "Administrator" web interface, from the login page, a simple "alert("You are HACKed!")" script was injected to the "POST" command. It was executed and display on the web browser. Malicious script could be executed using this method.

Remediation:
==========
Discussion with the wftpserver.com support. This vulnerability was not consider critical as it requires authenticated login to exploit. But it will be fixed on the next release in about a month time.

Updated 10 Jun 2010:
The flaw was fixed on version 3.5.1.

References:
- Common Vulnerabilities and Exposures: CVE-2010-2428
- National Vulnerability Database (CVE-2010-2428)
- ISS X-Force Database: wingftpserver-adminloginok-xss (59094)
- SecurityFocus: Wing FTP Server 'admin_loginok.html' HTML Injection Vulnerability
- OSVDB 65444 : Wing FTP Server Admin Interface admin_loginok.html XSS
- SANS: @RISK: The Consensus Security Vulnerability Alert
- Bugtraq: Wing FTP Server - Cross Site Scripting Vulnerability
- Packet Storm: wingftp-xss.txt




No comments:

Post a Comment