CVE-2020-9470: 
Wing FTP Server vulnerability analysis and mitigation

An issue was discovered in Wing FTP Server 6.2.5 before February 2020. The vulnerability (CVE-2020-9470) relates to insecure permissions when handling session cookies, where a local user may view the contents of the session and session_admin directories. This exposes active session cookies within the Wing FTP HTTP interface and administration panel (NVD, Hooper Labs).

The vulnerability stems from unsafe handling of HTTP session cookies. When users successfully log in, Wing FTP Server saves sessions as '.lua' files within the '/session' and '/session_admin' directories with world-readable and world-writeable permissions. These session files use the '.lua' naming convention and are pinned to specific source IP addresses. The vulnerability has a CVSS v3.1 base score of 7.8 (HIGH) with the vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H (NVD, Hooper Labs).

The vulnerability allows any local user to read and modify session cookies of Wing FTP users or administrators. Since Wing FTP Server runs as a superuser and includes a Lua interpreter within the administration panel, compromise of an administrative account results in root code execution on the server. This enables attackers to execute Lua commands as root within the administration panel (Hooper Labs).

The vulnerability was identified, reported, and patched on February 28th, 2020. Users should upgrade to versions after Wing FTP Server 6.2.5 released after February 2020 to receive the security fix (Hooper Labs).