I. Overview
 Multiple CSRF & Cross-Site Scripting (XSS) vulnerabilities have been 
identified in
Crushftp 7.2.0 (Web Interface) on default configuration. These vulnerabilities 
 an attacker to gain control over valid user accounts, perform operations
 on their behalf, redirect them to malicious sites, steal their credentials,
 and more.
 II. Severity
 Rating: Medium
 Remote: Yes
 Authentication Require: Yes
 III. Vendor's Description of Application
CrushFTP is a robust file transfer server that makes it easy to setup secure 
connections with your users.
'Crush' comes from the built-in zip methods in CrushFTP. They allow for 
downloading files in compressed formats in-stream, 
or even automatically expanding zip files as they are received in-stream. This 
is called ZipStreaming and can greatly accelerate 
the transfer of many types of files.
Secure management is web based allowing you the ability to manage and monitor 
the server from anywhere, or with almost any device. 
Easy in place server upgrades without complicated installers. Runs as a daemon, 
or Windows service with no need for a local GUI.
CrushFTP is watching out for you by detecting common hack attempts and robots 
which scan for weak passwords. It will automatically 
protect you against DDoS attacks. No need for you to do anything as CrushFTP 
will automatically ban these IPs to prevent wasted logging and CPU usage. 
This keeps your server secure from unwanted abuse.
User management includes inheritance, groups, and virtual file systems. If you 
want simple user management, 
it can be as easy as just making a folder with a specific name and nothing 
Think about how easily you can delegate user administration with CrushFTP's 
role based administration and event configuration. 

 IV. Vulnerability Details & Exploit

 1) Multiple CSRF Vulnerabilities (Web Management interface - Default Config) 

 a) An attacker may add/delete/modify user's accounts 
 b) May change all configuration settings 

Request Method: POST
Location: /WebInterface/fuction/

Proof of Concept:- 


2) Multiple Cross-Site Scripting (Web Interface - Default Config)

Type: Reflected
Request Method: POST 
Location: /WebInterface/function/ 
Parameter: vfs_items
vfs_items =  

Proof of Concept:

POST /WebInterface/function/ HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 656
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache


Type: Reflected
Request Method: GET 
Location: /WebInterface/function/ 
Parameter: path

Sent through the Full Disclosure mailing list
Web Archives & RSS: http://seclists.org/fulldisclosure/

Reply via email to