Re: Wing FTP Server - Cross Site Scripting Vulnerability

[werew01f <hack.werew01f () gmail com>]

Discussion with the wftpserver.com support. This vulnerability was not
consider critical as it requires authenticated login to exploit. But it will
be fixed on the next release in about a month time.


On Wed, Jun 2, 2010 at 5:35 PM, werew01f <hack.werew01f () gmail com> wrote:

> Security Advisory: Wing FTP Server - Cross Site Scripting Vulnerability
> ========================================================
>
> Discovered Date: May 31, 2010
> System affected: Wing FTP Server for Windows, Version 3.5.0 and prior
> version
>
> Vulnerability Description:
> ==================
> Wing FTP server is a multi-protocol file server, which support such as
> HTTP and FTP. It comes with a Web-based "Administrator" Console. The
> XSS vulnerability is found in the "Administrator" Web interface.
>
> In the "Administrator" web interface, script can be injected from the
> POST command. This can be exploited by injecting arbitrary HTML and
> malicious script code, which will execute in a user's browser session.
>
> The Vulnerable URL: http://x.x.x.x:5466/admin_loginok.html (Default
> port is 5466).
>
> Researcher Info:
> ============
> Discovered by: w01f
> Website: http://labs-werew01f.blogspot.com
> E-mail: hack [dot] werew01f [at] gmail [dot] com
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/