PHPWebFTP 3.3b Cross Site Scripting
Posted on 14 May 2016
PHPWebFTP ver 3.3b - xss vulnerability , by N_A. N_A [at] tutanota.com Vendor has notified Description ---------------- phpWebFTP enables connections to FTP servers, even behind a firewall not allowing traffic. phpWebFTP bypasses the firewall by making a FTP connection from your web server to the FTP server and transferring the files to your web client over the http protocol Vulnerability ------------- PHPWebFTP ver 3.3b allows malicious code injection due to some variables we can control. This allows an attacker to inject malicious code to carry out XSS attacks upon the program. ----snip , index.php---- $server=$_SESSION['server']; $user=$_SESSION['user']; $password=$_SESSION['password']; $language=$_SESSION['language']; $port=$_SESSION['port']; $passive=$_SESSION['passive']; ----snip , index.php---- further down in the code, the variables are passed without any security/filtering checks: ----snip, index.php---- $ftp = new ftp($server, $port, $user, $password, $passive); $ftp->setMode($mode); $ftp->setCurrentDir($currentDir); ----snip, index.php---- Code injected into the [server] field: <script>alert('executed');</script> This is also possible for the [username],[port] and [field] options. N_A [at] tutanota.com -- Securely sent with Tutanota. Claim your encrypted mailbox today! https://tutanota.com