Multiple XSS vulnerabilities in Cerberus FTP Server <= 5.0.5.1 [CVE-2012-6339]

2013-01-02T00:00:00
ID SECURITYVULNS:DOC:28914
Type securityvulns
Reporter Securityvulns
Modified 2013-01-02T00:00:00

Description

Overview

Cerberus FTP Server (http://www.cerberusftp.com/) is a secure and reliable FTP server with many features and available functionality.

It was discovered that the Web Administration interface has multiple persistent Cross Site Scripting (XSS) vulnerabilities. In the log viewer there is a XSS vulnerability which may be used by an unauthenticated user against an authenticated user. In the server manager a trivial XSS vulnerability exists which may be used by the authenticated user.

Analysis

To start, the vulnerabilities in the on the "/servermanger" page is trivial to exploit by escaping the "<textarea>" tags for each available server message.

The "/log" is less trivial to exploit in that the log page uses async-javascript callbacks to collect and display log data to the user. The log clears itself in 2-3 seconds as well. This occurs normally on an 8 second cycle and I in my experience it was difficult to have the log populated with appropriate attack vectors during a window to achieve exploitation.

I believe an administrative user would have to be logged in at the time of the attack and actively viewing the "/log" page to achieve successful exploitation. Due to these limitations I believe this to have a significant effect on the impact and reliability on any possible exploit code.

For more discussion on these bugs I've created a brief write-up at: http://sadgeeksinsnow.blogspot.com/2012/12/persistence-is-key-another-bug-hunt.html

Timeline

12/05/2012 - Discovered multiple bugs in product vendor's application 12/06/2012 - Disclosure of details to product vendor 12/07/2012 - Vendor created fixes for reported bugs 12/13/2012 - CVE Assignment 12/19/2012 - Public disclosure to Bugtraq

CVE(s)

CVE-2012-6339: Multiple XSS vulnerabilities in Cerberus FTP Web Administration interface. Affected pages are "/log" and "/servermanager".

Remediation

Update to the latest version of Cerberus FTP Server.

Special Thanks

Special Thanks to Grant @ Cerberus for his incredible response time and dedication to secure coding principles.

For more information concerning myself or my research: sadgeeksinsnow.blogspot.com