Vulners
Lucene search
wsftp-disclose.txt
🗓️ 06 Feb 2008 00:00:00Reported by Luigi AuriemmaType 
packetstorm🔗 packetstormsecurity.com👁 25 Views
`
#######################################################################
Luigi Auriemma
Application: WS_FTP Server Manager
http://www.wsftp.com
Versions: WS_FTP Server <= 6.1.0.0
Platforms: Windows
Bugs: A] authorization bypassing in log visualization
B] ASP source visualization
Exploitation: remote
Date: 06 Feb 2008
Author: Luigi Auriemma
e-mail: [email protected]
web: aluigi.org
#######################################################################
1) Introduction
2) Bugs
3) The Code
4) Fix
#######################################################################
===============
1) Introduction
===============
WS_FTP Server Manager (aka WS_FTP WebService) is the web administration
interface of the IpSwitch WS_FTP server and runs by default on port 80.
#######################################################################
=======
2) Bugs
=======
-----------------------------------------------
A] authorization bypassing in log visualization
-----------------------------------------------
The FTPLogServer folder available in the WS_FTP WebService is used for
the visualization and the downloading of the log entries collected by
the Logger Server used for any logging operation of the IpSwitch
servers (like both WS_FTP and the same WebService).
Naturally for watching the logs is needed to know the administration
username and password but exists a vulnerability which allows anyone to
gain access to this function of the server.
It's enough to logout from the web server without being logged in and
after this operation is possible to use all the asp files located in
the FTPLogServer folder through a strange account name called
localhostnull.
The vulnerability has been confirmed from both LAN and Internet.
The authorization bypassing is possible only for the ASP files located
in this folder so the management of the FTP server is not touched by
the vulnerability.
---------------------------
B] ASP source visualization
---------------------------
The following small bug is reported here only for thoroughness and has
no impact.
By default it canNOT be defined a vulnerability because the webservice,
although possible due to its directories structure (in short the WS_FTP
stuff is all in the WSFTPSVR folder so the rest of the root path of the
web server can be used for anything else), can't be considered a
"classical" web server where using custom contents.
Anyway if on the web server are in use custom ASP files a person can
see their content simply adding a dot at the end of the URL like in the
following examples of some pre-existent script files without the need
of being logged in:
http://SERVER/WSFTPSVR/login.asp.
http://SERVER/WSFTPSVR/FTPLogServer/LogViewer.asp.
http://SERVER/WSFTPSVR/FTP/ViewCert.asp.
#######################################################################
===========
3) The Code
===========
The following are the URLs to use in sequence for watching the logs:
http://SERVER/WSFTPSVR/FTPLogServer/login.asp?action=logLogout
http://SERVER/WSFTPSVR/FTPLogServer/LogViewer.asp
#######################################################################
======
4) Fix
======
No fix
#######################################################################
---
Luigi Auriemma
http://aluigi.org
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
06 Feb 2008 00:00Current
7.4High risk
Vulners AI Score7.4