CVE-2020-8635: 
Wing FTP Server vulnerability analysis and mitigation

Wing FTP Server v6.2.3 for Linux, macOS, and Solaris contains a vulnerability related to insecure permissions on installation directories and configuration files. The vulnerability, identified as CVE-2020-8635, was discovered and disclosed in March 2020. This security flaw affects the server software that supports multiple file transfer protocols including FTP, FTPS, HTTP, HTTPS, and SFTP (Hooper Labs).

The vulnerability stems from Wing FTP Server setting unsafe default permissions on sensitive configuration files. Specifically, user configuration files stored in $WINGFTP_DIR/Data/users/.xml are created with world-readable and world-writable permissions. Additionally, the users directory is created with full global permissions (777), allowing any system user to write to it. This insecure configuration enables unauthorized users to view existing user credentials and their MD5 password hashes, as well as forge new user accounts within the application (Hooper Labs).

The vulnerability allows any local user to potentially escalate privileges to root on affected systems. Attackers can view existing user credentials, modify user information, perform account takeover, and potentially gain unauthorized administrative access to the FTP server. The combination of world-readable and world-writable permissions on sensitive files creates a significant security risk that could lead to complete system compromise (Hooper Labs).

Users should ensure proper file permissions are set on installation directories and configuration files. Critical configuration files should have restricted permissions that prevent unauthorized access and modification. Additionally, users should upgrade to a patched version of Wing FTP Server if available (Hooper Labs).