lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Thu, 31 Jan 2019 22:06:57 +0000
From: Chris <lists@...lchris.com>
To: "fulldisclosure@...lists.org" <fulldisclosure@...lists.org>
Subject: [FD] Reflected XSS in n SolarWinds Serv-U FTP Server

Issue:                  Reflected Cross-Site Scripting
CVE:                    CVE-2018-19934
Security researcher:    Chris Moberly @ The Missing Link Security
Product name:           Serv-U FTP Server
Product version:        Tested on 15.1.6.25 (current as of Dec 2018)
Fixed in:               Serv-U 15.1.6 hotfix 3

# Overview
The Serv-U FTP Server is vulnerable to a reflected cross-site scripting
attack at the following injection points:

**Injection Point: URL Path**
* /Admin/XML
* /Admin/XML/Result.xml

As a proof of concept, browsing to the URLs below while authenticated as a
member of one of the administrative groups will produce a harmless JavaScript
alert box.

* /Admin/XML/Result.xml%22%3balert('XSS!')//xxx?Command=DismissWhatsNew
* /Admin/XML%22%3balert('XSS!')//xxx/Result.xml?Command=DismissWhatsNew

Additionally, another less-likely injection point was found in a POST
parameter. This can be demonstrated in the UI by defining an SMTP server
and sending a test alert. The affected URL is as follows:

**Injection Point: HTTP POST Parameter**
* /Admin/XML/SMTPResult.xml ('SMTPServer' parameter)


_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists