Ipswitch WS_FTP Server Manager 权限绕过漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1114497 漏洞类型 授权问题
发布时间 2008-02-06 更新时间 2009-01-29
CVE编号 CVE-2008-5692 CNNVD-ID CNNVD-200812-405
漏洞平台 ASP CVSS评分 5.0
|漏洞来源
https://www.exploit-db.com/exploits/31117
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200812-405
|漏洞详情
IpswitchWS_FTPServer一款高安全性、易于管理的文件传输服务器。IpswitchWS_FTPServerManager6.1.1之前的版本,以及其他可能的Ipswitch产品,允许远程攻击者借助对FTPLogServer/login.asp的一个登出操作和对具有localhostnull帐户名的FTPLogServer/LogViewer.asp的一个请求,绕过权限并读取日志。
|漏洞EXP
source: http://www.securityfocus.com/bid/27654/info

WS_FTP Server Manager is prone to an authentication-bypass vulnerability and an information-disclosure vulnerability.

An attacker can exploit these issues to gain unauthorized access to the affected application and gain access to potentially sensitive information.

These issues affect WS_FTP Server Manager 6.1.0.0; prior versions may also be affected. 

http://www.example.com/WSFTPSVR/FTPLogServer/LogViewer.asp
|参考资料

来源:BID
名称:27654
链接:http://www.securityfocus.com/bid/27654
来源:BUGTRAQ
名称:20080206Re:LogsvisualizationinWS_FTPServerManager6.1.0.0
链接:http://www.securityfocus.com/archive/1/archive/1/487697/100/200/threaded
来源:BUGTRAQ
名称:20080206LogsvisualizationinWS_FTPServerManager6.1.0.0
链接:http://www.securityfocus.com/archive/1/archive/1/487686/100/200/threaded
来源:VUPEN
名称:ADV-2008-0473
链接:http://www.frsirt.com/english/advisories/2008/0473
来源:SREASON
名称:4799
链接:http://securityreason.com/securityalert/4799
来源:SECUNIA
名称:28822
链接:http://secunia.com/advisories/28822
来源:docs.ipswitch.com
链接:http://docs.ipswitch.com/WS_FTP_Server611/ReleaseNotes/index.htm?k_id=ipswitch_ftp_documents_worldwide_ws_ftpserverv611releasenotes#link12
来源:MISC
链接:http://aluigi.altervista.org/adv/wsftpweblog-adv.txt