Ipswitch WS_FTP Server Script Insertion
Thursday, 30 August 2007
John Harwold has discovered a vulnerability in Ipswitch WS_FTP Server, which can be exploited by malicious users to conduct script insertion attacks.
Parameters passed to valid FTP commands are not properly sanitised before the command is logged. This can be exploited to insert arbitrary HTML and script code, which is executed in the administrator's browser session in context of the administrative web interface when the malicious logs are viewed.
The vulnerability is confirmed in WS_FTP Server 6. Other versions may also be affected.
Restrict access to the WS_FTP server to trusted users only.
Provided and/or discovered by:
John Harwold, VDA Labs
Share this content: