Netwin SurgeFTP Sever 23d6 – Persistent Cross-Site Scripting

• Exploit Database
• 18 阅读

• 作者： Un_N0n
  日期： 2015-11-19
• 类别：

  • webapps
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/38762/

• ********************************************************************************************
  # Exploit Netwin SurgeFTP Sever Stored Cross Site Scripting Vulnerabilities 
  # Date: 11/18/2015
  # Exploit Author: Un_N0n
  # Vendor: NetWin
  # Software Link: http://netwinsite.com/cgi-bin/keycgi.exe?cmd=download&product=surgeftp
  # Version: 23d6
  # Tested on: Windows 7 x64(64bit)
  ********************************************************************************************
  [Info]
  
  Surgeftp web-interface suffers with multiple Stored XSS vulnerabilities.
  
  They are:
  
  Stored XSS in 'Domain Name' field.
  
  [How to?]
  1. Open SurgeFTP web interface, Click on global option from the menu.
  2. Add a new domain, in 'Domain Name' field, add in this(<img src=x onmouseover=alert(1)>) payload.
  3. Save, then navigate to main page, hover mouse over 'broken image' in 'domains' section.
  
  Stored XSS in 'Mirrors'.
  
  [How to?]
  1. Open surgeftp web interface, Click on 'Mirrors' option from the menu.
  2. Click on Add Mirror, in 'Local path' & 'Remote Host' field add in this(<img src=x onmouseover=alert(1)>) payload.
  3. Save, then navigate to 'Mirror' page again, Hover mouse over the 'broken image' in 'local path' & 'remote host' field.
  
  Previously, Somebody else reported Stored XSS vulnerabilities in SurgeFTP.
  Vendor tried to fix the previously reported XSS vulnerabilities by blacklisting only the <script>alert('blah')</script> payload
  which is well not a good practice since i have triggered the same vulnerability by just entering different XSS payload,
  therefore White-listing is the correct solution.