最新消息
[資安]WS_FTP 伺服器資安漏洞修補程序
2022/07/29WS_FTP 伺服器資安漏洞修補程序
親愛的合作夥伴,
Progress WS_FTP 團隊最近發現 8.7.3 版之前的 WS_FTP 伺服器存在多個安全漏洞。我們已經解決了這些問題,並為客戶提供了一個修補程序來修復這些問題。作為重要的合作夥伴,您收到此預先通知是為了讓您有時間查看修補程序中解決的問題並為協助客戶做好充分準備。
對於運行 8.7.3 版之前的 WS_FTP 伺服器的客戶,請應用最新的修補程序。 安全問題和潛在影響
.反射式跨站腳本 (Reflected Cross-Site Scripting, XSS)
8.7.3 版之前的 WS_FTP 伺服器中,WS_FTP 伺服器管理 Web 界面中存在多個反射式跨站腳本 (XSS) 漏洞,遠端攻擊者有可能在 WS_FTP 管理員 Web 會話中注入任意 JavaScript,這將允許攻擊者在受害者瀏覽器的上下文中執行代碼。
.跨站請求偽造 (Cross-Site Request Forgery ,CSRF)
8.7.3 版之前的 WS_FTP 伺服器中,管理界面中的表單不包含降低跨站請求偽造攻擊風險的隨機數。 解決方案
我們已經解決了這些漏洞,Progress WS_FTP 團隊強烈建議升級到修補程序 WS_FTP 伺服器 8.7.3。
.修補程序文件連結
.知識庫文章連結
誠摯地,
Progress WS_FTP 團隊 Partner Alert: WS_FTP Server Vulnerabilities
Dear Partner, The Progress WS_FTP team recently became aware of multiple security vulnerabilities in WS_FTP Server prior to version 8.7.3. We have addressed the issues and have made a hotfix available for customers to remediate them. As an important partner, you are receiving this pre-notification to allow time for you to review the issues addressed in the hotfix and adequately prepare for assisting customers.
For customers running WS_FTP Server prior to 8.7.3, please apply the latest hotfix.
Security Issue and Potential Impact:
.Reflected Cross-Site Scripting (XSS)
In WS_FTP Server prior to version 8.7.3, multiple reflected cross-site scripting (XSS) vulnerabilities exist in WS_FTP Servers administrative web interface. It is possible for a remote attacker to inject arbitrary JavaScript in a WS_FTP administrators web session which would allow the attacker to execute code within the context of the victim’s browser.
.Cross-Site Request Forgery (CSRF)
In WS_FTP Server prior to version 8.7.3, forms within the administrative interface did not include a nonce to mitigate the risk of cross-site request forgery attacks.
Resolution:
We have addressed the vulnerabilities and the Progress WS_FTP Team strongly recommends performing an upgrade to the hotfix: WS_FTP Server 8.7.3.
.WS_FTP Server Documentation
.KB Article Link
Sincerely,
The Progress WS_FTP Team