Raw Request GET /public/folder/X6VT-CTCj0W6RSDgFW3gNw/demo/%22%3E%3Cscript%3Ealert(document.domain)%3C/script%3E/junk/ HTTP/1.1 The following raw HTTP request shows the payload. Below is an image showing a script that displays the domain of the vulnerable server. When adding arbitrary code after the escape, the client executes this code. Below is a picture showing what happens when an attacker escapes the folder image.īelow is an image showing the HTML of the above folder. When changing the URL path, one element can be escaped by inserting “> followed by another directory. The attacker could either create one themselves if they have an account or discover one. The vulnerability impacts anyone who clicks the malicious link crafted by the attacker.Ī user must first share a folder for others to view. A remote attacker must perform the file path modification on an authenticated user’s directory URL to insert arbitrary JavaScript or HTML. This occurs because the “folder_up.png” image tag does not properly sanitize user-inserted directory paths. Reflected cross-site scripting through an image tag in Cerberus FTP Server up to version 10.0.16.0 allows a remote attacker to execute arbitrary JavaScript or HTML via a specially crafted public folder URL. Improper Neutralization of Input During Web Page Generation (“Cross-Site Scripting”) (CVE-2020-5195) Detailed Information That said, we still need to convince him to get a Twitter account!įinally, this post will follow the same format as my last disclosure. However, I’m just here to publish all his hard work and save myself some writing. You can download the Cerberus FTP Server here.Īdditionally, you can visit the Cerberus public disclosures at the following URLs:Īll the credit for these findings goes to Quinn Zapata. Now that they are fixed, it is time to disclose some Cerberus FTP vulnerabilities!Ĭerberus FTP Vulnerabilities – IntroductionĪvalara discovered multiple vulns in the Cerberus FTP Server version 10.0.16.0 and version 8's web client.
0 Comments
Leave a Reply. |