Discovered Date: May 31, 2010
System affected: Wing FTP Server for Windows, Version 3.5.0 and prior version
Discovered by: w01f
Wing FTP server is a multi-protocol file server, which support such as HTTP and FTP. It comes with a Web-based "Administrator" Console. The XSS vulnerability is found in the "Administrator" Web interface . It is accessible using the server IP with default port 5366 (Eg. http://192.168.0.1:5466). Script can be injected to the "POST" command. This can be exploited by injecting arbitrary HTML and malicious script code, which will execute in a user's browser session.
Vulnerable URL: http://192.168.41.137:5466/admin_loginok.html
Tested with: Firefox 3.5 and Internet Explorer 7 on Windows XP SP3
with Web proxy
In the "Administrator" web interface, from the login page, a simple "alert("You are HACKed!")" script was injected to the "POST" command. It was executed and display on the web browser. Malicious script could be executed using this method.
Discussion with the wftpserver.com support. This vulnerability was not consider critical as it requires authenticated login to exploit. But it will be fixed on the next release in about a month time.
Updated 10 Jun 2010:
The flaw was fixed on version 3.5.1.
- Common Vulnerabilities and Exposures: CVE-2010-2428
- National Vulnerability Database (CVE-2010-2428)
- ISS X-Force Database: wingftpserver-adminloginok-xss (59094)
- SecurityFocus: Wing FTP Server 'admin_loginok.html' HTML Injection Vulnerability
- OSVDB 65444 : Wing FTP Server Admin Interface admin_loginok.html XSS
- SANS: @RISK: The Consensus Security Vulnerability Alert
- Bugtraq: Wing FTP Server - Cross Site Scripting Vulnerability
- Packet Storm: wingftp-xss.txt