==================================================================
Please DO NOT REPLY to this mail or send email to the developers
about this bug. Please follow-up to Bugzilla using this link:
https://bugs.contribs.org/show_bug.cgi?id=9528
Have you checked the Frequently Asked Questions (FAQ)?
http://wiki.contribs.org/SME_Server:Documentation:FAQ
Please also take the time to read the following useful guide:
http://www.chiark.greenend.org.uk/~sgtatham/bugs.html
==================================================================
Bug ID: 9528
Summary: XSS security issue in phpwebftp 3.3b
Classification: Contribs
Product: SME Contribs
Version: 8.2
Hardware: ---
OS: ---
Status: CONFIRMED
Severity: normal
Priority: P3
Component: smeserver-phpwebftp
Assignee: jean-p...@leclere.org
Reporter: te...@pialasse.com
QA Contact: contribteam@lists.contribs.org
https://packetstormsecurity.com/files/137001/phpwebftp-xss.txt
from what i know we use 3.3a, so it might be present too
PHPWebFTP ver 3.3b - xss vulnerability , by N_A.
N_A [at] tutanota.com
Vendor has notified
Description
----------------
phpWebFTP enables connections to FTP servers, even behind a firewall not
allowing traffic. phpWebFTP bypasses the firewall by making a FTP connection
from your web server to the FTP server and transferring the files to your web
client over the http protocol
Vulnerability
-------------
PHPWebFTP ver 3.3b allows malicious code injection due to some variables we
can control. This allows an attacker to inject malicious code to carry out
XSS attacks upon the program.
----snip , index.php----
$server=$_SESSION['server'];
$user=$_SESSION['user'];
$password=$_SESSION['password'];
$language=$_SESSION['language'];
$port=$_SESSION['port'];
$passive=$_SESSION['passive'];
----snip , index.php----
further down in the code, the variables are passed without any
security/filtering checks:
----snip, index.php----
$ftp = new ftp($server, $port, $user, $password, $passive);
$ftp->setMode($mode);
$ftp->setCurrentDir($currentDir);
----snip, index.php----
Code injected into the [server] field: <script>alert('executed');</script>
This is also possible for the [username],[port] and [field] options.
N_A [at] tutanota.com
--
Securely sent with Tutanota. Claim your encrypted mailbox today!
https://tutanota.com
--
You are receiving this mail because:
You are the QA Contact for the bug.
_______________________________________________
Mail for each SME Contribs bug report
To unsubscribe, e-mail contribteam-unsubscr...@lists.contribs.org
Searchable archive at https://lists.contribs.org/mailman/public/contribteam/