Advertisements

 Ipswitch WS_FTP Server Script Insertion

Thursday, 30 August 2007

Description:

John Harwold has discovered a vulnerability in Ipswitch WS_FTP Server, which can be exploited by malicious users to conduct script insertion attacks.

Parameters passed to valid FTP commands are not properly sanitised before the command is logged. This can be exploited to insert arbitrary HTML and script code, which is executed in the administrator's browser session in context of the administrative web interface when the malicious logs are viewed.

The vulnerability is confirmed in WS_FTP Server 6. Other versions may also be affected.

Solution:
Restrict access to the WS_FTP server to trusted users only.

Provided and/or discovered by:
John Harwold, VDA Labs

Original Advisory:
http://lists.grok.org.uk/pipermail/full-disclosure/2007-August/065441.html

http://secunia.com/advisories/26529/



Share this content:
        
Advertisements
Home | News | Articles | Advisories | Submit | Alerts | Links | What is XSS | About | Contact | Some Rights Reserved.