wsftp-disclose.txt

2008-02-06T00:00:00
ID PACKETSTORM:63341
Type packetstorm
Reporter Luigi Auriemma
Modified 2008-02-06T00:00:00

Description

                                        
                                            `  
#######################################################################  
  
Luigi Auriemma  
  
Application: WS_FTP Server Manager  
http://www.wsftp.com  
Versions: WS_FTP Server <= 6.1.0.0  
Platforms: Windows  
Bugs: A] authorization bypassing in log visualization  
B] ASP source visualization  
Exploitation: remote  
Date: 06 Feb 2008  
Author: Luigi Auriemma  
e-mail: aluigi@autistici.org  
web: aluigi.org  
  
  
#######################################################################  
  
  
1) Introduction  
2) Bugs  
3) The Code  
4) Fix  
  
  
#######################################################################  
  
===============  
1) Introduction  
===============  
  
  
WS_FTP Server Manager (aka WS_FTP WebService) is the web administration  
interface of the IpSwitch WS_FTP server and runs by default on port 80.  
  
  
#######################################################################  
  
=======  
2) Bugs  
=======  
  
-----------------------------------------------  
A] authorization bypassing in log visualization  
-----------------------------------------------  
  
The FTPLogServer folder available in the WS_FTP WebService is used for  
the visualization and the downloading of the log entries collected by  
the Logger Server used for any logging operation of the IpSwitch  
servers (like both WS_FTP and the same WebService).  
  
Naturally for watching the logs is needed to know the administration  
username and password but exists a vulnerability which allows anyone to  
gain access to this function of the server.  
  
It's enough to logout from the web server without being logged in and  
after this operation is possible to use all the asp files located in  
the FTPLogServer folder through a strange account name called  
localhostnull.  
The vulnerability has been confirmed from both LAN and Internet.  
  
The authorization bypassing is possible only for the ASP files located  
in this folder so the management of the FTP server is not touched by  
the vulnerability.  
  
  
---------------------------  
B] ASP source visualization  
---------------------------  
  
The following small bug is reported here only for thoroughness and has  
no impact.  
By default it canNOT be defined a vulnerability because the webservice,  
although possible due to its directories structure (in short the WS_FTP  
stuff is all in the WSFTPSVR folder so the rest of the root path of the  
web server can be used for anything else), can't be considered a  
"classical" web server where using custom contents.  
  
Anyway if on the web server are in use custom ASP files a person can  
see their content simply adding a dot at the end of the URL like in the  
following examples of some pre-existent script files without the need  
of being logged in:  
  
http://SERVER/WSFTPSVR/login.asp.  
http://SERVER/WSFTPSVR/FTPLogServer/LogViewer.asp.  
http://SERVER/WSFTPSVR/FTP/ViewCert.asp.  
  
  
#######################################################################  
  
===========  
3) The Code  
===========  
  
  
The following are the URLs to use in sequence for watching the logs:  
  
http://SERVER/WSFTPSVR/FTPLogServer/login.asp?action=logLogout  
http://SERVER/WSFTPSVR/FTPLogServer/LogViewer.asp  
  
  
#######################################################################  
  
======  
4) Fix  
======  
  
  
No fix  
  
  
#######################################################################  
  
  
---   
Luigi Auriemma  
http://aluigi.org  
`