Wing FTP Server < 3.5.1 XSS

This script is Copyright (C) 2010-2011 Tenable Network Security, Inc.


Synopsis :

The remote web server is affected by a cross-site scripting
vulnerability.

Description :

According to its banner, the remote host is running a version of Wing
FTP Server earlier than 3.5.1.

The web server included with such versions is affected by a cross-site
scripting vulnerability. By sending a specially crafted 'POST'
request to the admin web interface, an authenticated, remote attacker
may be able to leverage this issue to inject arbitrary HTML or script
code into a user's browser to be executed within the security context
of the affected site.

See also :

http://www.nessus.org/u?9d9430a2
http://archives.neohapsis.com/archives/bugtraq/2010-06/0031.html
http://www.wftpserver.com/serverhistory.htm

Solution :

Upgrade to Wing FTP Server 3.5.1 or later.

Risk factor :

Low / CVSS Base Score : 3.5
(CVSS2#AV:N/AC:M/Au:S/C:N/I:P/A:N)
CVSS Temporal Score : 3.3
(CVSS2#E:F/RL:U/RC:ND)
Public Exploit Available : true

Family: CGI abuses : XSS

Nessus Plugin ID: 47698 ()

Bugtraq ID: 40510

CVE ID: CVE-2010-2428