Title: Ipswitch WS_FTP Server FTP Command HTML Injection Vulnerability
Severity: MODERATE
Description:
WS_FTP Server is an FTP server application for Windows systems.
The application is prone to an HTML-injection vulnerability because it fails to properly sanitize user-supplied input before using it in dynamically generated content.
Specifically, the WS_FTP Server fails to properly sanitize user-supplied input when it logs valid FTP commands to a log file. An attacker can inject HTML and JavaScript into the FTP server's log files. These injected scripts are subsequently executed in the context of the administrative web interface when a site administrator views the log files in HTML format. Reportedly, attackers may be able to create new FTP user accounts with this script-insertion method, but this has not been confirmed.
Exploiting this issue may allow attackers to execute HTML and script code in the context of the administrative web interface, to steal cookie-based authentication credentials, or to control how the site is rendered to the site administrator; other attacks are also possible.
This issue affects WS_FTP Server 6; previous versions may be affected as well.
Affected Products:
- Ipswitch WS_FTP Server 6.0.0
References:
- Ipswitch: Ipswitch WS_FTP Server Homepage
- Jared DeMott: Ipswitch FTP XSS leads to FTP server compromise
Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.
