Wing FTP Server Admin 4.4.5 - CSRF Vulnerability Add Users Vendor: http://www.wftpserver.com/serverhistory.htm ============================================ Release Date: ============= 2015-04-28 Source: ==================================== http://hyp3rlinx.altervista.org/advisories/AS-WFTPXSS.txt Common Vulnerability Scoring System: ==================================== Overall CVSS Score 8.9 Product: =============================== Wing FTP Server is a Web based administration FTP client that supports following protocols FTP, FTPS, HTTPS, SSH Advisory Information: ============================== CSRF vulnerability within Wing FTP Server Admin that allows adding arbitrary users to the system. Vulnerability Disclosure Timeline: ================================== March 28, 2015: Vendor Notification March 28, 2015: Vendor Response/Feedback April 19, 2015: Vendor Notification April 28, 2015: Vendor released new version 4.4.6 April 28, 2015: Public Disclosure - John Page (hyp3rlinx) Affected Product(s): ==================== Wing FTP Server Admin 4.4.5 Product: Wing FTP Server - Admin Exploitation Technique: ======================= Remote Severity Level: =============== High Technical Details & Description: ================================ Request Method(s): [+] GET Vulnerable Product: [+] Wing FTP Server Admin <= 4.4.5 Vulnerable Parameter(s): [+] domain & type Affected Area(s): [+] Server Admin Proof of Concept (POC): ======================= POC XSS: http://localhost:5466/admin_viewstatus.html?domain=[XSS VECTOR] POC XSS: http://localhost:5466/admin_event_list.html?type=[XSS VECTOR] Solution - Fix & Patch: ======================= Vendor released updated version 4.4.6 Fix/Patch (Wing FTP Server) Credits & Authors: ================== John Page ( hyp3rlinx ) [+] Disclaimer Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and prohibits any malicious use of all security related information or exploits by the author or elsewhere. by hyp3rlinx™ (c) 2015