Progress WS_FTP Server Reflected Cross-Site Scripting Vulnerability

A reflected cross-site scripting vulnerability has been identified in Progress WS_FTP Server version 8.6.0. This issue arises from improper handling of user input, allowing for the execution of malicious code and commands on the client side. The vulnerability can be exploited by injecting harmful payloads into the subdirectory search bar or the 'Add folder' filename boxes. One example of exploitation is through client-side template injection via the 'subFolderPath' parameter, targeting the 'ThinClient/WtmApiService.asmx/GetFileSubTree' endpoint.

Impact

Exploitation of this vulnerability allows for reflected cross-site scripting, where an attacker can execute malicious JavaScript in the context of the victim's browser.

Reproduction

To reproduce this vulnerability, enter a malicious payload into the subdirectory search bar or the 'Add folder' filename boxes. This will trigger the cross-site scripting vulnerability by executing the injected JavaScript in the browser.

Remediation

Users are advised to upgrade to WS_FTP Server version 8.8.2 or later. For those on a current maintenance agreement, the upgrade is available through the Progress Community. Customers not on a maintenance agreement should contact the Progress Renewals team or their Progress partner account representative.