Multiple cross-site scripting (XSS) vulnerabilities in the administrative web interface in Cerberus FTP Server before 5.0.6.0 allow (1) remote attackers to inject arbitrary web script or HTML via a log entry that is not properly handled within the Log Manager component, and might allow (2) remote authenticated administrators to inject arbitrary web script or HTML via a Messages field to the servermanager program.
Cerberus FTP Server versions prior to 5.0.6.0 are vulnerable to multiple cross-site scripting (XSS) flaws, enabling attackers to inject malicious scripts into the administrative web interface. Successful exploitation could lead to account compromise, data theft, and complete control over the FTP server, impacting sensitive file transfers and data integrity.
Step 1: Payload Delivery (Log Entry): An attacker crafts a malicious log entry containing JavaScript or HTML code. This could be achieved by manipulating FTP commands or other server interactions that generate log entries.
Step 2: Payload Storage: The malicious log entry is stored within the Cerberus FTP Server's logs.
Step 3: Payload Delivery (Messages Field): An attacker, with administrator privileges, crafts a malicious message containing JavaScript or HTML code. This is entered into the Messages field within the servermanager program.
Step 4: Victim Access: An administrator views the Log Manager or accesses the servermanager program.
Step 5: Payload Execution: The web interface renders the malicious log entry or message without proper sanitization, causing the injected JavaScript or HTML to execute within the administrator's browser, leading to XSS.
The vulnerability stems from inadequate input validation and output encoding within the Cerberus FTP Server's administrative web interface. Specifically, the Log Manager component fails to properly sanitize log entries, allowing attackers to inject malicious JavaScript or HTML. Additionally, the Messages field within the servermanager program lacks proper sanitization. This lack of input validation allows attackers to craft malicious payloads that are then rendered in the web interface, leading to XSS. The root cause is a failure to implement proper output encoding (e.g., HTML entity encoding) when displaying user-supplied data within the web interface, and a lack of input validation to prevent malicious code from being stored in the logs or messages.