####################################################################### Luigi Auriemma Application: WS_FTP Server Manager http://www.wsftp.com Versions: WS_FTP Server <= 6.1.0.0 Platforms: Windows Bugs: A] authorization bypassing in log visualization B] ASP source visualization Exploitation: remote Date: 06 Feb 2008 Author: Luigi Auriemma e-mail: aluigi@autistici.org web: aluigi.org ####################################################################### 1) Introduction 2) Bugs 3) The Code 4) Fix ####################################################################### =============== 1) Introduction =============== WS_FTP Server Manager (aka WS_FTP WebService) is the web administration interface of the IpSwitch WS_FTP server and runs by default on port 80. ####################################################################### ======= 2) Bugs ======= ----------------------------------------------- A] authorization bypassing in log visualization ----------------------------------------------- The FTPLogServer folder available in the WS_FTP WebService is used for the visualization and the downloading of the log entries collected by the Logger Server used for any logging operation of the IpSwitch servers (like both WS_FTP and the same WebService). Naturally for watching the logs is needed to know the administration username and password but exists a vulnerability which allows anyone to gain access to this function of the server. It's enough to logout from the web server without being logged in and after this operation is possible to use all the asp files located in the FTPLogServer folder through a strange account name called localhostnull. The vulnerability has been confirmed from both LAN and Internet. The authorization bypassing is possible only for the ASP files located in this folder so the management of the FTP server is not touched by the vulnerability. --------------------------- B] ASP source visualization --------------------------- The following small bug is reported here only for thoroughness and has no impact. By default it canNOT be defined a vulnerability because the webservice, although possible due to its directories structure (in short the WS_FTP stuff is all in the WSFTPSVR folder so the rest of the root path of the web server can be used for everything else), can't be considered a "classical" web server where using custom contents. Anyway if on the web server are in use custom ASP files a person can see their content simply adding a dot at the end of the URL like in the following examples of some pre-existent script files without the need of being logged in: http://SERVER/WSFTPSVR/login.asp. http://SERVER/WSFTPSVR/FTPLogServer/LogViewer.asp. http://SERVER/WSFTPSVR/FTP/ViewCert.asp. Note: this same bug exists also in the web interface of Whatsup Gold. ####################################################################### =========== 3) The Code =========== The following are the URLs to use in sequence for watching the logs: http://SERVER/WSFTPSVR/FTPLogServer/login.asp?action=logLogout http://SERVER/WSFTPSVR/FTPLogServer/LogViewer.asp ####################################################################### ====== 4) Fix ====== No fix #######################################################################