Wing FTP Server Local Path Disclosure Vulnerability

A local path disclosure vulnerability has been identified in Wing FTP Server versions prior to 7.4.4. The issue arises in the 'loginok.html' file, where the application inadvertently reveals the full local installation path when a long value is used in the UID cookie. This vulnerability can be exploited by manipulating the UID cookie to include excessive data, causing the server to respond with the sensitive path information.

Impact

Exploitation of this vulnerability leads to unauthorized disclosure of the application's local installation path, which could be leveraged for further attacks or exploitation.

Reproduction

To reproduce this vulnerability, send a request to the Wing FTP Server web interface with a UID cookie that contains a long value. The server will respond with the 'loginok.html' file, disclosing the full local installation path of the application. This can be done using a web browser or a tool that allows for cookie manipulation, such as a browser extension or a script that modifies cookie values.

Remediation

Users are advised to update to Wing FTP Server version 7.4.4 or later, where this vulnerability has been fixed.