what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New


Posted Sep 12, 2008
Authored by Marc Ruef | Site scip.ch

Pro2col StingRay FTS suffers from a cross site scripting vulnerability via the login username functionality.

tags | exploit, xss
SHA-256 | 24f6911ba28f77c3b0dd0a5756d49433a480655e4285e291ee815c73fe7b74da


Change Mirror Download
Pro2col StingRay FTS login username cross site scripting

scip AG Vulnerability ID 3809 (09/12/2008)


StingRay FTS is a file transfer server for Internet communications.
Customers are able to transfer files or to send emails via the device.

More information is available on the official product web site at the
following URL:



Marc Ruef at scip AG found an input validation error within the current

The initial logon script at /login.jsp that is not protected by any
authentication procedure can be used to run arbitrary script code within
a cross site scripting attack. Other parts of the application might be
affected too.

--- cut ---

<form name="form_login" method="post" action="verify_login.jsp">
<input type="hidden" name="form_browser_os" value="2">
<input type="hidden" name="form_browser_type" value="2">
<table border="0" cellspacing="0" width="100%"
<td valign="center" class="loginheadertable">StingRay Login</td>

<img border="0" src="images/line.jpg" width="100%" height="10"></img>
<table border="0" cellpadding="5" cellspacing="5" width="100%"
<tr height="25" valign="middle">
<td width="15%">Benutzername</td>
<td width="35%"><input type="text" name="form_username"
<td width="50%">&nbsp;</td>

<tr height="15" valign="middle">
<input type="password" name="form_password" size="30">

<img border="0" src="images/line.jpg" width="100%" height="10">
<table border="0" cellpadding="5" cellspacing="5" width="100%"
<td width="50%" align="right">
<input type="Image" src="images/bt_login_de.gif" name="login"


--- cut ---


Classic script injection techniques and unexpected input data within a
browser session can be used to exploit this vulnerabilities.

The approach to verify an insecure installation is possible with a
simple form input. Use the following string as user name and a wrong
passwort for the proof-of-concept:


The script injection happens in this line (between the H3 headers) in
the file /verify_login.jsp:

<H3>Der Benutzer <script>alert('scip');</script> konnte nicht in der
Datenbank gefunden werden.<br><br>Bitte wiederholen...</H3>

The detection of vulnerable hosts is possible via Google hacking too as
like Johnny Long has documented in his web database[1]. httprecon
supports web fingerprinting for such devices too[2]. A plugin for our
open-source exploiting framework Attack Tool Kit (ATK) will be published
in the future[3].


Because non-authenticated parts of the software are affected, this
vulnerability is serious for every secure environment. Non-authenticated
users might be able to exploit this flaw to gain elevated privileges
(e.g. extracting sensitive cookie information or launch a buffer
overflow attack against another web browser). However, as Robert Welz
with Pro2col told my via email, the discussed login part should be
available on the internal interface only.

Because other parts of the application might be affected too - this
could include some second order vulnerabilities - a severe attack
scenario might be possible.


Detection of web based attacks requires a specialized web proxy and/or
intrusion detection system. Patterns for such a detection are available
and easy to implement. Usually the mathematical or logical symbols for
less-than (<) and greater-than (>) are required to propose a HTML tag.
In some cases single (') or double quotes (") are required to inject the
code in a given HTML statement. Some implementation of security systems
are looking for well-known attack tags as like <script> and attack
attributes onMouseOver too. However, these are usually not capable of
identifying highly optimized payload.


We have informed Pro2col on an early stage. They confirmed the problem
and announced a bugfix for a release scheduled in March 2008 initially.
A re-scheduling was proposed and no further details provided. Our last
request stood unanswered for a long time.


Pro2col has been informed a first time at 2008/06/12 via email at
info-at-pro2col.com. A very kind reply by James Lewis came back a few
hours later. Further discussion of the flaw (how to reproduce) were held
with Robert Welz. A re-scheduling of the planned patch was proposed. Our
last request stood unanswered for a long time.


scip AG - Security Consulting Information Process (german)

scip AG Vulnerability Database (german)

computec.ch document data base (german)


2007/12/05 Identification of the vulnerability
2007/12/06 First information to info-at-pro2col.com
2007/12/07 Immediate reply by and further discussion with James Lewis
2008/01/11 Technical confirmation by Robert Welz
2008/03/18 Status report by Robert Welz
2008/07/08 Offering for re-check of the patch by Robert Welz
2008/07/09 Undefined re-scheduling of the patch
2008/08/29 Last request for actual status (no reply)
2008/09/12 Public advisory


The vulnerabilities were discovered by Marc Ruef.

Marc Ruef, scip AG, Zuerich, Switzerland


[1] http://www.computec.ch/projekte/httprecon/
[2] http://johnny.ihackstuff.com/ghdb.php?function=detail&id=1814
[3] http://www.computec.ch/projekte/atk/


Copyright (c) 2007-2008 scip AG, Switzerland.

Permission is granted for the re-distribution of this alert. It may not
be edited in any way without permission of scip AG.

The information in the advisory is believed to be accurate at the time
of publishing based on currently available information. There are no
warranties with regard to this information. Neither the author nor the
publisher accepts any liability for any direct, indirect or
consequential loss or damage from use of or reliance on this advisory.
Login or Register to add favorites

File Archive:

May 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    May 1st
    44 Files
  • 2
    May 2nd
    5 Files
  • 3
    May 3rd
    11 Files
  • 4
    May 4th
    0 Files
  • 5
    May 5th
    0 Files
  • 6
    May 6th
    28 Files
  • 7
    May 7th
    3 Files
  • 8
    May 8th
    4 Files
  • 9
    May 9th
    54 Files
  • 10
    May 10th
    12 Files
  • 11
    May 11th
    0 Files
  • 12
    May 12th
    0 Files
  • 13
    May 13th
    17 Files
  • 14
    May 14th
    11 Files
  • 15
    May 15th
    17 Files
  • 16
    May 16th
    13 Files
  • 17
    May 17th
    22 Files
  • 18
    May 18th
    0 Files
  • 19
    May 19th
    0 Files
  • 20
    May 20th
    17 Files
  • 21
    May 21st
    18 Files
  • 22
    May 22nd
    7 Files
  • 23
    May 23rd
    111 Files
  • 24
    May 24th
    27 Files
  • 25
    May 25th
    0 Files
  • 26
    May 26th
    0 Files
  • 27
    May 27th
    0 Files
  • 28
    May 28th
    0 Files
  • 29
    May 29th
    0 Files
  • 30
    May 30th
    0 Files
  • 31
    May 31st
    0 Files

Top Authors In Last 30 Days

File Tags


packet storm

© 2022 Packet Storm. All rights reserved.

Security Services
Hosting By