Pro2col StingRay FTS login username cross site scripting
scip AG Vulnerability ID 3809 (09/12/2008)
StingRay FTS is a file transfer server for Internet communications.
Customers are able to transfer files or to send emails via the device.
More information is available on the official product web site at the
Marc Ruef at scip AG found an input validation error within the current
The initial logon script at /login.jsp that is not protected by any
authentication procedure can be used to run arbitrary script code within
a cross site scripting attack. Other parts of the application might be
--- cut ---
--- cut ---
Classic script injection techniques and unexpected input data within a
browser session can be used to exploit this vulnerabilities.
The approach to verify an insecure installation is possible with a
simple form input. Use the following string as user name and a wrong
passwort for the proof-of-concept:
The script injection happens in this line (between the H3 headers) in
the file /verify_login.jsp:
Der Benutzer konnte nicht in der
Datenbank gefunden werden.
The detection of vulnerable hosts is possible via Google hacking too as
like Johnny Long has documented in his web database. httprecon
supports web fingerprinting for such devices too. A plugin for our
open-source exploiting framework Attack Tool Kit (ATK) will be published
in the future.
Because non-authenticated parts of the software are affected, this
vulnerability is serious for every secure environment. Non-authenticated
users might be able to exploit this flaw to gain elevated privileges
(e.g. extracting sensitive cookie information or launch a buffer
overflow attack against another web browser). However, as Robert Welz
with Pro2col told my via email, the discussed login part should be
available on the internal interface only.
Because other parts of the application might be affected too - this
could include some second order vulnerabilities - a severe attack
scenario might be possible.
Detection of web based attacks requires a specialized web proxy and/or
intrusion detection system. Patterns for such a detection are available
and easy to implement. Usually the mathematical or logical symbols for
less-than (<) and greater-than (>) are required to propose a HTML tag.
In some cases single (') or double quotes (") are required to inject the
code in a given HTML statement. Some implementation of security systems
are looking for well-known attack tags as like
We do not send spam. If you have received spam bearing an artofhacking.com email address, please forward it with full headers to email@example.com.