[contribteam] [Bug 9528] XSS security issue in phpwebftp 3.3b

Thu, 26 May 2016 02:38:11 -0700 

==================================================================
  Please DO NOT REPLY to this mail or send email to the developers
  about this bug. Please follow-up to Bugzilla using this link:
    https://bugs.contribs.org/show_bug.cgi?id=9528

  Have you checked the Frequently Asked Questions (FAQ)?
    http://wiki.contribs.org/SME_Server:Documentation:FAQ

  Please also take the time to read the following useful guide:
    http://www.chiark.greenend.org.uk/~sgtatham/bugs.html
==================================================================

            Bug ID: 9528
           Summary: XSS security issue in phpwebftp 3.3b
    Classification: Contribs
           Product: SME Contribs
           Version: 8.2
          Hardware: ---
                OS: ---
            Status: CONFIRMED
          Severity: normal
          Priority: P3
         Component: smeserver-phpwebftp
          Assignee: jean-p...@leclere.org
          Reporter: te...@pialasse.com
        QA Contact: contribteam@lists.contribs.org

https://packetstormsecurity.com/files/137001/phpwebftp-xss.txt

from what i know we use 3.3a, so it might be present too

PHPWebFTP ver 3.3b - xss vulnerability , by N_A.
N_A [at] tutanota.com


Vendor has notified



Description
----------------



phpWebFTP enables connections to FTP servers, even behind a firewall not 
allowing traffic. phpWebFTP bypasses the firewall by making a FTP connection 
from your web server to the FTP server and transferring the files to your web 
client over the http protocol



Vulnerability
-------------


PHPWebFTP ver 3.3b allows malicious code injection due to some variables we 
can control. This allows an attacker to inject malicious code to carry out 
XSS attacks upon the program.


----snip , index.php----

    $server=$_SESSION['server'];
    $user=$_SESSION['user'];
    $password=$_SESSION['password'];
    $language=$_SESSION['language'];
    $port=$_SESSION['port'];
    $passive=$_SESSION['passive'];

----snip , index.php----





further down in the code, the variables are passed without any 
security/filtering checks:

----snip, index.php----

    $ftp = new ftp($server, $port, $user, $password, $passive);
    $ftp->setMode($mode);
    $ftp->setCurrentDir($currentDir);

----snip, index.php----





Code injected into the [server] field: <script>alert('executed');</script>
This is also possible for the [username],[port] and [field] options.




N_A [at] tutanota.com




--
Securely sent with Tutanota. Claim your encrypted mailbox today!
https://tutanota.com

-- 
You are receiving this mail because:
You are the QA Contact for the bug.
_______________________________________________
Mail for each SME Contribs bug report
To unsubscribe, e-mail contribteam-unsubscr...@lists.contribs.org
Searchable archive at https://lists.contribs.org/mailman/public/contribteam/

Reply via email to