Wing FTP Server Authenticated Command Execution Vulnerability Network Vulnerability

Summary

This host is installed with Wing FTP Server and is prone to authenticated remote code execution vulnerability.

Impact

Successful exploitation will allow an authenticated remote attacker to execute arbitrary commands. Impact Level: Application

Solution

No solution or patch is available as of 9th February, 2015. Information regarding this issue will be updated once the solution details are available, For updates refer http://www.wftpserver.com

Insight

Flaw is due to the os.execute() function in the embedded LUA interpreter in the admin web interface is not properly handling specially crafted HTTP POST requests.

Affected

Wing FTP Server version 4.3.8, Prior versions may also be affected.

Detection

Send a crafted exploit string via HTTP GET request and check whether it is able to execute the code remotely.

References

http://packetstormsecurity.com/files/128045
http://www.exploit-db.com/exploits/34517

Updated on 2017-03-28

Severity

Classification

CVSS	Base Score: 8.2 AV:N/AC:M/Au:S/C:C/I:C/A:P

Related Vulnerabilities

ArticleSetup Multiple Cross-Site Scripting and SQL Injection Vulnerabilities
Allegro RomPager `Misfortune Cookie` Vulnerability
appRain CMF SQL Injection And Cross Site Scripting Vulnerabilities
Adobe ColdFusion Multiple Vulnerabilities-01 May-2014
Alchemy Eye HTTP Command Execution

Take action and discover your vulnerabilities