Ipswitch WS_FTP Server Script Insertion

Thursday, 30 August 2007


John Harwold has discovered a vulnerability in Ipswitch WS_FTP Server, which can be exploited by malicious users to conduct script insertion attacks.

Parameters passed to valid FTP commands are not properly sanitised before the command is logged. This can be exploited to insert arbitrary HTML and script code, which is executed in the administrator's browser session in context of the administrative web interface when the malicious logs are viewed.

The vulnerability is confirmed in WS_FTP Server 6. Other versions may also be affected.

Restrict access to the WS_FTP server to trusted users only.

Provided and/or discovered by:
John Harwold, VDA Labs

Original Advisory:

Share this content:
Home | News | Articles | Advisories | Submit | Alerts | Links | What is XSS | About | Contact | Some Rights Reserved.