FTP Admin v0.1.0 - MULTIPLE VULNERABILITIES by Omni 1) Infos --------- Date : 2007-11-28 Product : FTP Admin Version : v0.1.0 Vendor : http://sourceforge.net/projects/ftpadmin/ Vendor Status : 2007-11-30 Informed! Description : FTP admin is a web-based user administration tool, for usage in combination with vsftpd. FTP admin requires sudo. Features include modification of users and generation of user passwords. Source : omnipresent - omni E-mail : omnipresent[at]NOSPAMemail[dot]it - omni[at]NOSPAMplayhack[dot]net Team : Playhack.net Security 2) Security Issues ------------------- --- [ XSS ] --- =============================================== I think that is better let you see a PoC instead of explain where is the bug.. If you want to know it just look at the source code. --- [ PoC ] --- =============== http://localhost/ft/index.php?page=error&error=... http://localhost/ft/index.php?page=error&error= --- [ Local File Inclusion ] --- ================================ Take a look in index.php, line 49: include("$page.php"); Remembe that you have to log in to made local file inclusion (loggedin = true -> register_global = On) [ Remembe that ] if(!is_file($page . ".php") || (!is_readable($page . ".php"))) { $page = "error"; $error = "Page does not exist or is not readable\n"; } } [ /Remembe that ] --- [ PoC ] --- =============== http://localhost/ft/index.php?page=pass.txt%00&loggedin=true To see pass.txt ... --- [ Admin Bypass ] --- ================================ Today I'm too lazy to explain what's wrong.. so take a look in the source code and watch the var $loggedin !! --- [ PoC ] --- =============== To add a user... http://localhost/ft/index.php?page=add&loggedin=true