Discussion with the wftpserver.com support. This vulnerability was not consider critical as it requires authenticated login to exploit. But it will be fixed on the next release in about a month time.
On Wed, Jun 2, 2010 at 5:35 PM, werew01f <[email protected]> wrote: > Security Advisory: Wing FTP Server - Cross Site Scripting Vulnerability > ======================================================== > > Discovered Date: May 31, 2010 > System affected: Wing FTP Server for Windows, Version 3.5.0 and prior > version > > Vulnerability Description: > ================== > Wing FTP server is a multi-protocol file server, which support such as > HTTP and FTP. It comes with a Web-based "Administrator" Console. The > XSS vulnerability is found in the "Administrator" Web interface. > > In the "Administrator" web interface, script can be injected from the > POST command. This can be exploited by injecting arbitrary HTML and > malicious script code, which will execute in a user's browser session. > > The Vulnerable URL: http://x.x.x.x:5466/admin_loginok.html (Default > port is 5466). > > Researcher Info: > ============ > Discovered by: w01f > Website: http://labs-werew01f.blogspot.com > E-mail: hack [dot] werew01f [at] gmail [dot] com >
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
