SolarWinds Serv-U FTP 15.1.6.25 Cross Site Scripting

`Issue: Reflected Cross-Site Scripting  
CVE: CVE-2018-19934  
Security researcher: Chris Moberly @ The Missing Link Security  
Product name: Serv-U FTP Server  
Product version: Tested on 15.1.6.25 (current as of Dec 2018)  
Fixed in: Serv-U 15.1.6 hotfix 3  
  
# Overview  
The Serv-U FTP Server is vulnerable to a reflected cross-site scripting  
attack at the following injection points:  
  
**Injection Point: URL Path**  
* /Admin/XML  
* /Admin/XML/Result.xml  
  
As a proof of concept, browsing to the URLs below while authenticated as a  
member of one of the administrative groups will produce a harmless JavaScript  
alert box.  
  
* /Admin/XML/Result.xml%22%3balert('XSS!')//xxx?Command=DismissWhatsNew  
* /Admin/XML%22%3balert('XSS!')//xxx/Result.xml?Command=DismissWhatsNew  
  
Additionally, another less-likely injection point was found in a POST  
parameter. This can be demonstrated in the UI by defining an SMTP server  
and sending a test alert. The affected URL is as follows:  
  
**Injection Point: HTTP POST Parameter**  
* /Admin/XML/SMTPResult.xml ('SMTPServer' parameter)  
  
  
  
`