Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:19026
HistoryFeb 07, 2008 - 12:00 a.m.

Logs visualization in WS_FTP Server Manager 6.1.0.0

2008-02-0700:00:00
vulners.com
34
JSON

#######################################################################

                         Luigi Auriemma

Application: WS_FTP Server Manager
http://www.wsftp.com
Versions: WS_FTP Server <= 6.1.0.0
Platforms: Windows
Bugs: A] authorization bypassing in log visualization
B] ASP source visualization
Exploitation: remote
Date: 06 Feb 2008
Author: Luigi Auriemma
e-mail: [email protected]
web: aluigi.org

#######################################################################

1) Introduction
2) Bugs
3) The Code
4) Fix

#######################################################################

===============
1) Introduction

WS_FTP Server Manager (aka WS_FTP WebService) is the web administration
interface of the IpSwitch WS_FTP server and runs by default on port 80.

#######################################################################

=======
2) Bugs

A] authorization bypassing in log visualization

The FTPLogServer folder available in the WS_FTP WebService is used for
the visualization and the downloading of the log entries collected by
the Logger Server used for any logging operation of the IpSwitch
servers (like both WS_FTP and the same WebService).

Naturally for watching the logs is needed to know the administration
username and password but exists a vulnerability which allows anyone to
gain access to this function of the server.

It's enough to logout from the web server without being logged in and
after this operation is possible to use all the asp files located in
the FTPLogServer folder through a strange account name called
localhostnull.
The vulnerability has been confirmed from both LAN and Internet.

The authorization bypassing is possible only for the ASP files located
in this folder so the management of the FTP server is not touched by
the vulnerability.

B] ASP source visualization

The following small bug is reported here only for thoroughness and has
no impact.
By default it canNOT be defined a vulnerability because the webservice,
although possible due to its directories structure (in short the WS_FTP
stuff is all in the WSFTPSVR folder so the rest of the root path of the
web server can be used for anything else), can't be considered a
"classical" web server where using custom contents.

Anyway if on the web server are in use custom ASP files a person can
see their content simply adding a dot at the end of the URL like in the
following examples of some pre-existent script files without the need
of being logged in:

http://SERVER/WSFTPSVR/login.asp.
http://SERVER/WSFTPSVR/FTPLogServer/LogViewer.asp.
http://SERVER/WSFTPSVR/FTP/ViewCert.asp.

#######################################################################

===========
3) The Code

The following are the URLs to use in sequence for watching the logs:

http://SERVER/WSFTPSVR/FTPLogServer/login.asp?action=logLogout
http://SERVER/WSFTPSVR/FTPLogServer/LogViewer.asp

#######################################################################

======
4) Fix

No fix

#######################################################################

Luigi Auriemma
http://aluigi.org

JSON