While conducting an external network penetration test for a client, I found an instance of Wing FTP Server running in the client’s external IP space. During the assessment, I discovered a previously unknown Cross-Site Scripting vulnerability in the Wing FTP Server (version 6.4.4) web interface. The details of the vulnerability and disclosure process are described below.
Note: For the purpose of capturing the proof of concept screenshots in this writeup, I configured a local instance of Wing FTP Server. No screenshots are included from the actual client environment.
While assessing the Wing FTP Server web application, I found a help page that was accessible without valid credentials.
Furthermore, I discovered a script on the help page which writes a URL parameter to a frame src attribute, exposing the service to a Cross-Site Scripting vulnerability.
I created the following proof of concept link to exploit the Cross-Site Scripting vulnerability in Wing FTP Server.
Visiting the link executed arbitrary JavaScript in the browser as shown below.
I searched for more information about Wing FTP Server and found their website claims over 8000 organizations use Wing FTP Server including the U.S. Air Force, Accenture, Sephora, Reuters and Sony.
I responsibly disclosed the vulnerability to the Wing FTP Server developers and ensured a patch was issued.
Responsible Disclosure Timeline:
- October 26th, 2020 - Vulnerability disclosed to developers
- November 17th, 2020 - Patch issued
- January 20th, 2021 - Blog posted
