PHPWebFTP 3.3b Cross Site Scripting

Type packetstorm
Reporter N_A
Modified 2016-05-08T00:00:00


                                            `PHPWebFTP ver 3.3b - xss vulnerability , by N_A.  
N_A [at]  
Vendor has notified  
phpWebFTP enables connections to FTP servers, even behind a firewall not   
allowing traffic. phpWebFTP bypasses the firewall by making a FTP connection   
from your web server to the FTP server and transferring the files to your web   
client over the http protocol  
PHPWebFTP ver 3.3b allows malicious code injection due to some variables we   
can control. This allows an attacker to inject malicious code to carry out   
XSS attacks upon the program.  
----snip , index.php----  
----snip , index.php----  
further down in the code, the variables are passed without any   
security/filtering checks:  
----snip, index.php----  
$ftp = new ftp($server, $port, $user, $password, $passive);  
----snip, index.php----  
Code injected into the [server] field: <script>alert('executed');</script>  
This is also possible for the [username],[port] and [field] options.  
N_A [at]  
Securely sent with Tutanota. Claim your encrypted mailbox today!