PT-2020-20682 · Wing Ftp · Wing Ftp Server
Published
2020-03-07
·
Updated
2021-07-21
·
CVE-2020-9470
CVSS v3.1
7.8
High
| Vector | AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
Wing FTP Server versions prior to 6.2.5
Description
An issue was discovered due to insecure permissions when handling session cookies. A local user may view the contents of the session and session admin directories, exposing active session cookies within the Wing FTP HTTP interface and administration panel. These cookies may be used to hijack user and administrative sessions, including the ability to execute Lua commands as root within the administration panel.
Recommendations
For Wing FTP Server versions prior to 6.2.5, update to a version released after February 2020 to resolve the issue. As a temporary workaround, consider restricting access to the session and session admin directories to minimize the risk of exploitation.
Exploit
Fix
Incorrect Permission
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Wing Ftp Server