Jump to content
Sign in to follow this  

Wing FTP Server Admin 4.4.5 CSRF / Cross Site Scripting

Recommended Posts

Document Title:
Wing FTP Server Admin 4.4.5 - CSRF & Cross Site Scripting Vulnerabilities

Release Date:

apparitionsec ID (AS-ID):

Common Vulnerability Scoring System:
Overall CVSS Score 8.9

Wing FTP Server is a Web based administration FTP client that supports
following protocols FTP, FTPS, HTTPS, SSH

Advisory Information:
Security researcher John Page discovered a CSRF & client-side cross site
scripting web vulnerability within Wing FTP Server Admin that allows adding
arbitrary users to the system.

Vulnerability Disclosure Timeline:
March 28, 2015: Vendor Notification
March 28, 2015: Vendor Response/Feedback
April 19, 2015: Vendor Notification
April 28, 2015: Vendor released new patched version 4.4.6
April 28, 2015: Public Disclosure - John Page

Affected Product(s):
Wing FTP Server Admin 4.4.5
Product: Wing FTP Server - Admin

Exploitation Technique:

Severity Level:

Technical Details & Description:

Request Method(s):
[+] POST & GET

Vulnerable Product:
[+] Wing FTP Server Admin 4.4.5

Vulnerable Parameter(s):
[+] domain & type

Affected Area(s):
[+] Server Admin

Proof of Concept (POC):
The CSRF and client-side cross site scripting web vulnerability can be
exploited by remote attackers without privileged application user account
and with low user interaction (click). Payload will add arbitrary users to
the system.

POC: Example

http://localhost:5466/admin_loglist.html?domain=[CSRF & XSS VULNERABILITIES]

POC: Payload(s) Add arbitrary user to the system:




Solution - Fix & Patch:
Vendor released updated version 4.4.6 Fix/Patch (Wing FTP Server)

Security Risk:
The security risk of the CSRF client-side cross site scripting web
vulnerability in the `domain` admin_loglist.html value has CVSS Score of 8.9

Credits & Authors:
John Page ( hyp3rlinx ) - ISR godz @Apparitionsec

Disclaimer & Information:
The information provided in this advisory is provided as it is without any
warranty. the security research reporter John Page disclaims all
warranties, either expressed or implied, including the warranties of
merchantability and capability for a particular purpose. apparitionsec or
its suppliers are not liable in any case of damage, including direct,
indirect, incidental, consequential loss of business profits or special

Domains: hyp3rlinx.altervista.org

Source: http://dl.packetstormsecurity.net/1504-exploits/AS-WFTP0328.txt

Share this post

Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Sign in to follow this  

  • Create New...