Ipswitch WS_FTP Server Manager before 6.1.1, and possibly other Ipswitch products, allows remote attackers to bypass authentication and read logs via a logLogout action to FTPLogServer/login.asp followed by a request to FTPLogServer/LogViewer.asp with the localhostnull account name.

According to its banner, the remote host is running a version of WS_FTP earlier than 6.1.1.  Such versions are reportedly affected by multiple vulnerabilities :

  - Improper handling of UDP packets within the FTP log     server may allow an attacker to crash the affected     service. (CVE-2008-0608)

  - There is a buffer overflow vulnerability in the SSH     Server service that can be triggered when handling     arguments to the 'opendir' command. (CVE-2008-0590)

  - An attacker can exploit a vulnerability in the     'FTPLogServer/LogViewer.asp' script to gain access to     the log viewing interface. (CVE-2008-5692)

The remote host is running a version of WS_FTP earlier than 6.1.1.
Such versions are reportedly affected by multiple vulnerabilities :

  - Improper handling of UDP packets within the FTP log     server may allow an attacker to crash the affected     service. (CVE-2008-0608)

  - There is a buffer overflow vulnerability in the SSH     Server service that can be triggered when handling     arguments to the 'opendir' command. (CVE-2008-0590)

  - An attacker can exploit a vulnerability in the     'FTPLogServer/LogViewer.asp' script to gain access to     the log viewing interface. (CVE-2008-5692)

This host is running a vulnerable version of WS_FTP FTP server. Versions up to and including 6.1.0 are reported prone to multiple flaws:

 - A vulnerability caused by an improper handling of UDP packets within the FTP log server.  An attacker can exploit this to crash the affected service. (CVE-2008-0608)

 - A buffer overflow vulnerability in the SSH server service when handling arguments to the 'opendir' command. (CVE-2008-0590)

 - An information disclosure vulnerability when processing HTTP requests for the 'FTPLogServer/LogViewer.asp' script.  An attacker can exploit this to gain access to the log viewing interface. (CVE-2008-5692)

The remote host is running WS_FTP Server Manager, also known as WS_FTP WebService, a web-based administration tool included, for example, with Ipswitch WS_FTP Server. 

The version of WS_FTP Server Manager installed on the remote host allows an attacker by bypass authentication and gain access to ASP scripts in the '/WSFTPSVR/FTPLogServer' folder by first calling the login script to obtain a session cookie.  By leveraging this issue, an attacker can view log entries collected by the Logger Server, which may contain sensitive information.  The attacker can not, though, otherwise gain administrative control of the affected application.

ID	Name	Product	Family	Severity
40772	Ipswitch WS_FTP Server < 6.1.1 Multiple Vulnerabilities (uncredentialed check)	Nessus	FTP	high
40771	Ipswitch WS_FTP Server < 6.1.1 Multiple Vulnerabilities	Nessus	FTP	high
4361	WS_FTP Server < 6.1.1 Multiple Vulnerabilities	Nessus Network Monitor	FTP Servers	high
30208	Ipswitch WS_FTP Server Manager /WSFTPSVR/FTPLogServer/LogViewer.asp Authentication Bypass	Nessus	CGI abuses	medium

Detections

Analytics

CVE-2008-5692

critical

Tenable Plugins

high

high

high

medium