Summary
===============================================
phpWebFTP enables connections to FTP servers, even behind a firewall not
allowing traffic. phpWebFTP bypasses the firewall by making a FTP
connection from your webserver to the FTP server and transfering the files
to your webclient over the http protocol
===========================================
Issue :
Well I have found that most of the sites that use phpwebftp v3.2 > less
have a problem. The user login script is a javascript file called
script.js. This file validates the user input in the logon box. But to my
surprise this file is directly accessed by web browser . The disclosure of
the source code can help an attacker to trigger code injections .
Further a directory traversal is possible via malicious arguments passed on
the web browser using POST Method relative to the path of phpWebftp ie.
http://www.anysite.com/PhpWebFtp/index.php? .
If you have additional information or notice any errors regarding this security advisory, please use contact form or email us at info()securityreason()com.