CVE-2023-40045
📋 TL;DR
This reflected cross-site scripting (XSS) vulnerability in WS_FTP Server's Ad Hoc Transfer module allows attackers to execute malicious JavaScript in victims' browsers by tricking them into clicking specially crafted links. All WS_FTP Server users with vulnerable versions are affected, particularly those using the web interface for file transfers.
💻 Affected Systems
- WS_FTP Server
📦 What is this software?
Ws Ftp Server by Progress
Ws Ftp Server by Progress
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal session cookies, perform actions as authenticated users, redirect to malicious sites, or install malware through drive-by downloads.
Likely Case
Session hijacking leading to unauthorized file access, data theft, or privilege escalation within the WS_FTP Server environment.
If Mitigated
Limited impact with proper input validation, output encoding, and Content Security Policy headers in place.
🎯 Exploit Status
Reflected XSS typically requires user interaction (clicking malicious link) but exploitation is straightforward once payload is crafted.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 8.7.4 or 8.8.2
Vendor Advisory: https://community.progress.com/s/article/WS-FTP-Server-Critical-Vulnerability-September-2023
Restart Required: Yes
Instructions:
1. Download WS_FTP Server version 8.7.4 or 8.8.2 from Progress Software. 2. Backup current configuration. 3. Run installer to upgrade. 4. Restart WS_FTP Server service. 5. Verify functionality.
🔧 Temporary Workarounds
Disable Ad Hoc Transfer Module
windowsTemporarily disable the vulnerable Ad Hoc Transfer feature if not required
Navigate to WS_FTP Server Admin > Modules > Disable Ad Hoc Transfer
Implement WAF Rules
allAdd XSS protection rules to web application firewall
Add rule to block requests containing <script>, javascript:, or common XSS payload patterns
🧯 If You Can't Patch
- Implement strict Content Security Policy headers to restrict script execution
- Use network segmentation to isolate WS_FTP Server from critical systems
🔍 How to Verify
Check if Vulnerable:
Check WS_FTP Server version in Admin interface: Help > About. If version is below 8.7.4 or 8.8.2, system is vulnerable.Check Version:
In WS_FTP Server Admin: Navigate to Help > About to view versionVerify Fix Applied:
After patching, verify version shows 8.7.4 or 8.8.2 in Help > About. Test Ad Hoc Transfer functionality works normally.📡 Detection & Monitoring
Log Indicators:
- Unusual long URLs in access logs
- Requests containing script tags or javascript: protocol
- Multiple failed login attempts followed by successful access
Network Indicators:
- HTTP requests with suspicious parameters in Ad Hoc Transfer URLs
- Outbound connections to unknown domains after WS_FTP access
SIEM Query:
source="ws_ftp_logs" AND (url="*<script>*" OR url="*javascript:*" OR url="*onerror=*" OR url="*onload=*")