Wing FTP Server Authenticated Command Execution Vulnerability Network Vulnerability

Summary

This host is installed with Wing FTP Server and is prone to authenticated remote code execution vulnerability.

Impact

Successful exploitation will allow an authenticated remote attacker to execute arbitrary commands. Impact Level: Application

Solution

No solution or patch is available as of 9th February, 2015. Information regarding this issue will be updated once the solution details are available, For updates refer http://www.wftpserver.com

Insight

Flaw is due to the os.execute() function in the embedded LUA interpreter in the admin web interface is not properly handling specially crafted HTTP POST requests.

Affected

Wing FTP Server version 4.3.8, Prior versions may also be affected.

Detection

Send a crafted exploit string via HTTP GET request and check whether it is able to execute the code remotely.

References

http://packetstormsecurity.com/files/128045
http://www.exploit-db.com/exploits/34517

Updated on 2017-03-28

Severity

Classification

CVSS Base Score: 8.2
AV:N/AC:M/Au:S/C:C/I:C/A:P

Related Vulnerabilities

Advanced Guestbook Index.PHP SQL Injection Vulnerability
Atlassian JIRA FishEye and Crucible Plugins XML Parsing Unspecified Security Vulnerability
Avenger's News System Command Execution
Alchemy Eye HTTP Command Execution
appRain CMF SQL Injection And Cross Site Scripting Vulnerabilities

Take action and discover your vulnerabilities