Secunia Advisory: SA22255 Release Date: 2006-10-03 Critical: Less critical Impact: Cross Site Scripting Where: From remote Solution Status: Unpatched Software: net2ftp 0.x This advisory is currently marked as unpatched! - Companies can be alerted when a patch is released! Description: securfrog has discovered a vulnerability in net2ftp, which can be exploited by malicious people to conduct cross-site scripting attacks. Input passed to the "username" parameter in index.php is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site. The vulnerability has been confirmed in version 0.93. Other versions may also be affected. Solution: Edit the source code to ensure that input is properly sanitised. Provided and/or discovered by: securfrog
Quickly looking at 0.96, it still fails to perform any sanitization on username values, beyond the below funky comment suggesting upstream is clueless... <snip> function validateUsername($username) { // -------------- // This function validates the username // -------------- // Remove invisible characters in the beginning and at the end $username = trim($username); // Remove XSS code // $username = RemoveXSS($username); return $username; } // end validateUsername </snip> The password handling also looks "optimistic" :P <snip> function validatePassword($password) { // -------------- // This function validates the plain password // -------------- // Remove invisible characters in the beginning and at the end $password = trim($password); // Remove XSS code // $password = RemoveXSS($password); return $password; } // end validatePassword
See http://www.securityfocus.com/archive/1/archive/1/447535/100/0/threaded for the original advisory.
oh boy ... masked
This security bug was reported in 2006 and its is now 2008. The securityfocus tread shows securfrog being debunked pretty hard. The forums on net2ftp site has an old thread dealing with the issue basically saying the bug is on very old version, more then three years ago from the post date. http://www.net2ftp.org/forums/viewtopic.php?id=2267 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2006-5097 also disputes this vulnerability. This "bug" has been in the wild for three years but there are no exploits using it that I am aware of. Masking it was a bit of knee jerk rush. Please reevaluate the masking.
well, alone the above snippet of user/password "validation" makes any security aware person go sick. you can still unmask if you feel like it
0.96 and 0.97 out....
(In reply to comment #6) > 0.96 and 0.97 out.... I just had a look at 0.97 and the snippet from comment #1 doesn't seem to have changed..
more issues with net2ftp... http://secunia.com/advisories/30611/
mailed upstream
... without succes: <mailbox2@ibelgique.com>: host mailrecv.ifrance.com[82.196.5.130] said: 550 <mailbox2@ibelgique.com>: Recipient address rejected: User unknown in local recipient table (in reply to RCPT TO command)
issued last rites. will be removed in 30 days.
(In reply to comment #5) > well, alone the above snippet of user/password "validation" makes any security > aware person go sick. you can still unmask if you feel like it > Please explain what is wrong with it? We are not all elite security experts. Should they be replace with library function that does proper sanitizing? If so, I could have a php script writer look into it.
Ebuild removed. webapps done.
Also, 10 months later... GLSA?
It's just XSS, my vote is NO, the bug is extremely old, closing noglsa.
