![configure wing ftp server configure wing ftp server](https://pcwonderland.com/wp-content/uploads/2019/10/Wing-FTP-Server-Corporate-6.1.7-Free-Download-13.jpg)
- #CONFIGURE WING FTP SERVER INSTALL#
- #CONFIGURE WING FTP SERVER FULL#
- #CONFIGURE WING FTP SERVER SOFTWARE#
In addition, the software follows symbolic links by default for all users. The program runs as a superuser and therefore may access any directory or file as a superuser. Wing FTP server does not appear to check permissions while conducting file operations. After examining a few attack scenarios, it will become clear that the only prerequisite for escalation of privilege is command execution on the server as any user.Īttack Scenario: Issue 1 Unsafe interpretation of symbolic links A low-privilege Linux user (lowleveluser) with terminal access also has a Wing FTP account and access to their home directory (/home/lowleveluser).
#CONFIGURE WING FTP SERVER FULL#
This may only be done if the user has full write privileges to $WINGFTP_DIR.įor the following attack scenarios, consider a Wing FTP Server installation on a Linux (Ubuntu 18.04) host. The server will also open these services once a "domain" folder is created within $WINGFTP_DIR with a valid portlistener.xml file inside. If a service is already running on one of those ports, Wing FTP does not override that service. Once a domain is created within the administrative interface ( Wing FTP server opens services on TCP ports 21 (FTP), 990 (FTPS), 80 (HTTP), 443 (HTTPS), 22 (SSH). Ports will not open until the server is further configured. The installation directory hereon will be referred to as $WINGFTP_DIR. During installation, the software prompts the user to create an administrative user, an administrative password, choose which port the administrative HTTP interface should use (default 5466), then asks whether Wing FTP Server should start. Within the directory, run the wftpserver binary.
#CONFIGURE WING FTP SERVER INSTALL#
To install the server, download the archive from the Wing FTP website and extract. By default, the server sets unsafe permissions on system files, compromising the integrity of system settings and confidentiality of user password hashes.Wing FTP Server sets an unsafe umask (permissions) for all files modified within the web interface.Wing FTP Server follows symbolic links by default.Three weaknesses were discovered in the software which make exploitation possible. You can also monitor server performance and online sessions and even receive email notifications about various events taking place on the server.ĭownload Link: Wing FTP Server Software Downloads Vulnerabilities - Unsafe UMask Set (CVE-2020-8634) and Unsafe Permissions on System Files (CVE-2020-8635)Ī number of weaknesses in Wing FTP Server allow any local user to escalate privileges to root on Linux, MacOS, and Solaris. And it provides admins with a web-based interface to administrate the server from anywhere.
![configure wing ftp server configure wing ftp server](https://pcwonderland.com/wp-content/uploads/2020/04/Wing-FTP-Server-Corporate-6.3.0-Free-Download-14.jpg)
It supports multiple file transfer protocols, including FTP, FTPS, HTTP, HTTPS, and SFTP, giving your clients flexibility in how they connect to the server. From the official website: Wing FTP Server is an easy-to-use, secure, and reliable FTP server software for Windows, Linux, Mac OS, and Solaris.