what you don't know can hurt you


Posted Sep 12, 2008
Authored by Marc Ruef | Site scip.ch

Pro2col StingRay FTS suffers from a cross site scripting vulnerability via the login username functionality.

tags | exploit, xss
MD5 | 08c034f681ddb155997ab310477742e8


Change Mirror Download
Pro2col StingRay FTS login username cross site scripting

scip AG Vulnerability ID 3809 (09/12/2008)


StingRay FTS is a file transfer server for Internet communications.
Customers are able to transfer files or to send emails via the device.

More information is available on the official product web site at the
following URL:



Marc Ruef at scip AG found an input validation error within the current

The initial logon script at /login.jsp that is not protected by any
authentication procedure can be used to run arbitrary script code within
a cross site scripting attack. Other parts of the application might be
affected too.

--- cut ---

<form name="form_login" method="post" action="verify_login.jsp">
<input type="hidden" name="form_browser_os" value="2">
<input type="hidden" name="form_browser_type" value="2">
<table border="0" cellspacing="0" width="100%"
<td valign="center" class="loginheadertable">StingRay Login</td>

<img border="0" src="images/line.jpg" width="100%" height="10"></img>
<table border="0" cellpadding="5" cellspacing="5" width="100%"
<tr height="25" valign="middle">
<td width="15%">Benutzername</td>
<td width="35%"><input type="text" name="form_username"
<td width="50%">&nbsp;</td>

<tr height="15" valign="middle">
<input type="password" name="form_password" size="30">

<img border="0" src="images/line.jpg" width="100%" height="10">
<table border="0" cellpadding="5" cellspacing="5" width="100%"
<td width="50%" align="right">
<input type="Image" src="images/bt_login_de.gif" name="login"


--- cut ---


Classic script injection techniques and unexpected input data within a
browser session can be used to exploit this vulnerabilities.

The approach to verify an insecure installation is possible with a
simple form input. Use the following string as user name and a wrong
passwort for the proof-of-concept:


The script injection happens in this line (between the H3 headers) in
the file /verify_login.jsp:

<H3>Der Benutzer <script>alert('scip');</script> konnte nicht in der
Datenbank gefunden werden.<br><br>Bitte wiederholen...</H3>

The detection of vulnerable hosts is possible via Google hacking too as
like Johnny Long has documented in his web database[1]. httprecon
supports web fingerprinting for such devices too[2]. A plugin for our
open-source exploiting framework Attack Tool Kit (ATK) will be published
in the future[3].


Because non-authenticated parts of the software are affected, this
vulnerability is serious for every secure environment. Non-authenticated
users might be able to exploit this flaw to gain elevated privileges
(e.g. extracting sensitive cookie information or launch a buffer
overflow attack against another web browser). However, as Robert Welz
with Pro2col told my via email, the discussed login part should be
available on the internal interface only.

Because other parts of the application might be affected too - this
could include some second order vulnerabilities - a severe attack
scenario might be possible.


Detection of web based attacks requires a specialized web proxy and/or
intrusion detection system. Patterns for such a detection are available
and easy to implement. Usually the mathematical or logical symbols for
less-than (<) and greater-than (>) are required to propose a HTML tag.
In some cases single (') or double quotes (") are required to inject the
code in a given HTML statement. Some implementation of security systems
are looking for well-known attack tags as like <script> and attack
attributes onMouseOver too. However, these are usually not capable of
identifying highly optimized payload.


We have informed Pro2col on an early stage. They confirmed the problem
and announced a bugfix for a release scheduled in March 2008 initially.
A re-scheduling was proposed and no further details provided. Our last
request stood unanswered for a long time.


Pro2col has been informed a first time at 2008/06/12 via email at
info-at-pro2col.com. A very kind reply by James Lewis came back a few
hours later. Further discussion of the flaw (how to reproduce) were held
with Robert Welz. A re-scheduling of the planned patch was proposed. Our
last request stood unanswered for a long time.


scip AG - Security Consulting Information Process (german)

scip AG Vulnerability Database (german)

computec.ch document data base (german)


2007/12/05 Identification of the vulnerability
2007/12/06 First information to info-at-pro2col.com
2007/12/07 Immediate reply by and further discussion with James Lewis
2008/01/11 Technical confirmation by Robert Welz
2008/03/18 Status report by Robert Welz
2008/07/08 Offering for re-check of the patch by Robert Welz
2008/07/09 Undefined re-scheduling of the patch
2008/08/29 Last request for actual status (no reply)
2008/09/12 Public advisory


The vulnerabilities were discovered by Marc Ruef.

Marc Ruef, scip AG, Zuerich, Switzerland


[1] http://www.computec.ch/projekte/httprecon/
[2] http://johnny.ihackstuff.com/ghdb.php?function=detail&id=1814
[3] http://www.computec.ch/projekte/atk/


Copyright (c) 2007-2008 scip AG, Switzerland.

Permission is granted for the re-distribution of this alert. It may not
be edited in any way without permission of scip AG.

The information in the advisory is believed to be accurate at the time
of publishing based on currently available information. There are no
warranties with regard to this information. Neither the author nor the
publisher accepts any liability for any direct, indirect or
consequential loss or damage from use of or reliance on this advisory.
Login or Register to add favorites

File Archive:

October 2021

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Oct 1st
    16 Files
  • 2
    Oct 2nd
    1 Files
  • 3
    Oct 3rd
    1 Files
  • 4
    Oct 4th
    24 Files
  • 5
    Oct 5th
    24 Files
  • 6
    Oct 6th
    11 Files
  • 7
    Oct 7th
    14 Files
  • 8
    Oct 8th
    19 Files
  • 9
    Oct 9th
    1 Files
  • 10
    Oct 10th
    0 Files
  • 11
    Oct 11th
    7 Files
  • 12
    Oct 12th
    15 Files
  • 13
    Oct 13th
    26 Files
  • 14
    Oct 14th
    10 Files
  • 15
    Oct 15th
    6 Files
  • 16
    Oct 16th
    2 Files
  • 17
    Oct 17th
    1 Files
  • 18
    Oct 18th
    14 Files
  • 19
    Oct 19th
    0 Files
  • 20
    Oct 20th
    0 Files
  • 21
    Oct 21st
    0 Files
  • 22
    Oct 22nd
    0 Files
  • 23
    Oct 23rd
    0 Files
  • 24
    Oct 24th
    0 Files
  • 25
    Oct 25th
    0 Files
  • 26
    Oct 26th
    0 Files
  • 27
    Oct 27th
    0 Files
  • 28
    Oct 28th
    0 Files
  • 29
    Oct 29th
    0 Files
  • 30
    Oct 30th
    0 Files
  • 31
    Oct 31st
    0 Files

Top Authors In Last 30 Days

File Tags


packet storm

© 2020 Packet Storm. All rights reserved.

Security Services
Hosting By