Logs visualization in WS_FTP Server Manager 6.1.0.0




#######################################################################

Luigi Auriemma

Application: WS_FTP Server Manager
http://www.wsftp.com
Versions: WS_FTP Server <= 6.1.0.0
Platforms: Windows
Bugs: A] authorization bypassing in log visualization
B] ASP source visualization
Exploitation: remote
Date: 06 Feb 2008
Author: Luigi Auriemma
e-mail: aluigi@xxxxxxxxxxxxx
web: aluigi.org


#######################################################################


1) Introduction
2) Bugs
3) The Code
4) Fix


#######################################################################

===============
1) Introduction
===============


WS_FTP Server Manager (aka WS_FTP WebService) is the web administration
interface of the IpSwitch WS_FTP server and runs by default on port 80.


#######################################################################

=======
2) Bugs
=======

-----------------------------------------------
A] authorization bypassing in log visualization
-----------------------------------------------

The FTPLogServer folder available in the WS_FTP WebService is used for
the visualization and the downloading of the log entries collected by
the Logger Server used for any logging operation of the IpSwitch
servers (like both WS_FTP and the same WebService).

Naturally for watching the logs is needed to know the administration
username and password but exists a vulnerability which allows anyone to
gain access to this function of the server.

It's enough to logout from the web server without being logged in and
after this operation is possible to use all the asp files located in
the FTPLogServer folder through a strange account name called
localhostnull.
The vulnerability has been confirmed from both LAN and Internet.

The authorization bypassing is possible only for the ASP files located
in this folder so the management of the FTP server is not touched by
the vulnerability.


---------------------------
B] ASP source visualization
---------------------------

The following small bug is reported here only for thoroughness and has
no impact.
By default it canNOT be defined a vulnerability because the webservice,
although possible due to its directories structure (in short the WS_FTP
stuff is all in the WSFTPSVR folder so the rest of the root path of the
web server can be used for anything else), can't be considered a
"classical" web server where using custom contents.

Anyway if on the web server are in use custom ASP files a person can
see their content simply adding a dot at the end of the URL like in the
following examples of some pre-existent script files without the need
of being logged in:

http://SERVER/WSFTPSVR/login.asp.
http://SERVER/WSFTPSVR/FTPLogServer/LogViewer.asp.
http://SERVER/WSFTPSVR/FTP/ViewCert.asp.


#######################################################################

===========
3) The Code
===========


The following are the URLs to use in sequence for watching the logs:

http://SERVER/WSFTPSVR/FTPLogServer/login.asp?action=logLogout
http://SERVER/WSFTPSVR/FTPLogServer/LogViewer.asp


#######################################################################

======
4) Fix
======


No fix


#######################################################################


---
Luigi Auriemma
http://aluigi.org