Executive Summary

CVE-2020-37079 is a Cross-Site Request Forgery (CSRF) vulnerability found in Wing FTP Server versions prior to 6.2.7, specifically in the web administration interface.

This vulnerability allows attackers to craft malicious HTML pages containing hidden forms that can submit unauthorized requests to delete administrative user accounts without proper authorization.

An attacker can exploit this by tricking an authenticated administrator into loading a malicious page, which then sends a request to delete the admin user account.

Useful 0 Not Useful 0

Impact Analysis

The vulnerability can lead to the deletion of administrative user accounts on the Wing FTP Server without proper authorization.

This forces the administrator to reinstall the application and recreate the admin account, causing significant disruption.

It also poses privilege escalation risks because an attacker can remove admin users, potentially gaining unauthorized control or causing denial of administrative access.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability involves a Cross-Site Request Forgery (CSRF) attack targeting the web administration interface of Wing FTP Server versions prior to 6.2.7. Detection involves monitoring for unauthorized POST requests to the endpoint `/admin_delete_admin.html` that attempt to delete admin users.'}, {'type': 'paragraph', 'content': 'You can detect potential exploitation attempts by inspecting web server logs or network traffic for suspicious POST requests to `/admin_delete_admin.html` with parameters such as `username=admin` and an additional random parameter `r`.'}, {'type': 'paragraph', 'content': 'Example commands to detect such activity might include:'}, {'type': 'list_item', 'content': 'Using grep on server logs to find suspicious POST requests: `grep "/admin_delete_admin.html" /path/to/access.log | grep POST`'}, {'type': 'list_item', 'content': 'Using tcpdump or tshark to capture HTTP POST requests to the vulnerable endpoint: `tcpdump -A -s 0 \'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)\' | grep "/admin_delete_admin.html"`'}, {'type': 'list_item', 'content': 'Using a web application firewall (WAF) or IDS/IPS to alert on POST requests to `/admin_delete_admin.html` without proper referer headers or from unexpected sources.'}] [2]

Useful 0 Not Useful 0

Mitigation Strategies

The primary mitigation is to upgrade Wing FTP Server to version 6.2.7 or later, where the vulnerability has been patched.

The patch includes enhanced referer header validation to ensure that requests to delete admin users originate from the same host, preventing CSRF attacks.

If immediate upgrade is not possible, consider implementing the following temporary mitigations:

• Restrict access to the web administration interface to trusted IP addresses or networks.
• Deploy a web application firewall (WAF) to block or alert on suspicious POST requests to `/admin_delete_admin.html`.
• Monitor logs for unusual admin deletion attempts and respond promptly.
• Educate administrators to avoid clicking on untrusted links or visiting suspicious web pages while authenticated to the admin interface.

Useful 0 Not Useful 0