Recent changes to bugs

#17 XSS vulnerability

2016-08-03T08:01:10.350000Z

here is possible fix. it is alsopresent in v4.

XSS vulnerability

2016-08-03T08:00:26.720000Z

see https://packetstormsecurity.com/files/137001/phpwebftp-xss.txt

PHPWebFTP ver 3.3b - xss vulnerability , by N_A.
N_A [at] tutanota.com

Vendor has notified

Description

phpWebFTP enables connections to FTP servers, even behind a firewall not
allowing traffic. phpWebFTP bypasses the firewall by making a FTP connection
from your web server to the FTP server and transferring the files to your web
client over the http protocol

Vulnerability

PHPWebFTP ver 3.3b allows malicious code injection due to some variables we
can control. This allows an attacker to inject malicious code to carry out
XSS attacks upon the program.

----snip , index.php----

$server=$_SESSION['server'];
$user=$_SESSION['user'];
$password=$_SESSION['password'];
$language=$_SESSION['language'];
$port=$_SESSION['port'];
$passive=$_SESSION['passive'];

----snip , index.php----

further down in the code, the variables are passed without any
security/filtering checks:

----snip, index.php----

$ftp = new ftp($server, $port, $user, $password, $passive);
$ftp->setMode($mode);
$ftp->setCurrentDir($currentDir);

----snip, index.php----

Code injected into the [server] field: <script>alert('executed');</script>
This is also possible for the [username],[port] and [field] options.

N_A [at] tutanota.com

--
Securely sent with Tutanota. Claim your encrypted mailbox today!
https://tutanota.com

#15 files owned by a user or a group with a point are not shown

2016-08-03T06:06:55.731000Z

the patch might be :
--- include/ftp.class.php.old 2016-08-03 01:49:20.123000000 -0400
+++ include/ftp.class.php 2016-08-03 02:04:29.022000000 -0400
@@ -301,9 +301,9 @@
$regexp .= "\s+"; // one or more spaces
$regexp .= "(\d+)"; // numbers (?), $regs[2]
$regexp .= "\s+"; // one or more spaces
- $regexp .= "([\d\w-_]+)"; // user, $regs[3]
+ $regexp .= "([\d\w-_.]+)"; // user, $regs[3]
$regexp .= "\s+"; // one or more spaces
- $regexp .= "([\d\w-_]+)"; // group, $regs[4]
+ $regexp .= "([\d\w-_.]+)"; // group, $regs[4]
$regexp .= "\s+"; // one or more spaces
$regexp .= "(\d+)"; // size, $regs[5]
$regexp .= "\s+"; // one or more spaces

Filenames with space get cut on download

2013-10-29T16:12:14.645000Z

"my test file.txt" will become "my".
In inc/ftp_tools.php line 139 add quotes to the filename:
header('Content-Disposition: attachment; filename="' . $select_file . '"');

#12 Allways upload with ASCII mode

2013-08-28T11:02:43.209000Z

I use 3.3a verison; if you have other verison line numbers can be different; This happens bcz FTP_BINARY not equal 1.

You need to change 3 line:

in index.php:
291 -- $newMode=($ftp->mode==1)?0:1;
++ $newMode=($ftp->mode == FTP_BINARY)? FTP_ASCII: FTP_BINARY;
922 -- <?=$lblTransferMode;?>:
<?=$ftp->mode==1?$lblBinaryMode:$lblASCIIMode;?>
++ <?=$lblTransferMode;?>:
<?=$ftp->mode == FTP_BINARY? $lblBinaryMode: $lblASCIIMode;?>

in inluce/ftp.class.php
25 -- $mode = 0;
++ $mode = FTP_ASCII
67 -- function setMode($mode=1) {
++ function setMode($mode=FTP_BINARY) {

files owned by a user or a group with a point are not shown

2012-11-25T23:11:49Z

regex are incomplet as username could have point .

corrected with this :

--- ftp.class.php.old 2012-11-25 18:03:19.000000000 -0500
+++ ftp.class.php 2012-11-25 18:04:35.000000000 -0500
@@ -299,9 +299,12 @@
$regexp .= "\s+"; // one or more spaces
$regexp .= "(\d+)"; // numbers (?), $regs[2]
$regexp .= "\s+"; // one or more spaces
- $regexp .= "([\d\w\-_]+)"; // user, $regs[3]
+# $regexp .= "([\d\w\-_]+)"; // user, $regs[3]
+# $regexp .= "\s+"; // one or more spaces
+# $regexp .= "([\d\w\-_]+)"; // group, $regs[4]
+ $regexp .= "([\d\w\-_.]+)"; // user, $regs[3]
$regexp .= "\s+"; // one or more spaces
- $regexp .= "([\d\w\-_]+)"; // group, $regs[4]
+ $regexp .= "([\d\w\-_.]+)"; // group, $regs[4]
$regexp .= "\s+"; // one or more spaces
$regexp .= "(\d+)"; // size, $regs[5]
$regexp .= "\s+"; // one or more spaces

Showing no files when user != group

2009-10-19T21:29:55Z

When the group differs from the login user these files are not shown.
Files should at least be shown if a group has rw permissions and the user is in or the user has rw permissions.
I figured this out using mod-fcgi, all files with permission fcgiuser:www-data, php running as fcgiuser.
New files can be created, edited and deleted although the webroot folder has also permission fcgiuser:www-data.
I thried this using phpWebFTP 4.0 and 3.3b both having this issue

Best regards Fabio

file download problem, files open corrupt

2007-11-13T15:49:55Z

hello...i have up and running the 3.3b version and its working good minus the fact that if i upload a file and then try to download it...it opens corrupt. this is on pdf, word and excel....notepad txt files seems to work fine.
unfortantely i can not seem to figure why this is happening and can not use this product unless this is fixed

Allways upload with ASCII mode

2007-03-21T10:26:48Z

Hello i am using phpWebFTP with easyphp (windows,apache,php4) without problem but now i installed apache and php5 and the phpWebFTP allways use ascii mode. I use both versions of phpWebFTP with same problem. When i use the same code in a server with php4 i have no problem. The ftp server always are the same. i look php.ini and apache configuration and i cannot see anything wrong. Can u have any idea? Thx for advance

Russian messages sre not displayed correctly

2007-03-04T07:39:31Z

If the Russian language is chosen, the messages are not displayed correctly - the text is unreadable. The bug must be related with some codepage error.

rp@gorodok.net