[原文]Cross-site scripting (XSS) vulnerability in Fastream NETFile Server 220.127.116.118 allows remote attackers to inject arbitrary web script or HTML via the URL, which is displayed on a "404 Not Found" error page.
It has been reported that a cross-site scripting vulnerability may exist in NetFile that may allow remote attackers to execute HTML or script code in a user's browser. The issue is reported to occur due to a "404 Not Found" error message returned to the user due to a request for a URL that does not exist. The error message reportedly contains the bad URL which is not properly sanitized therefore allowing an attacker to a construct a malicious link containing HTML or script code that may be rendered in a user's browser.
Successful exploitation of this attack may allow an attacker to steal cookie-based authentication information that could be used to launch further attacks.
NetFile FTP/Webserver Version 18.104.22.1688 has been reported to be prone to this issue, however other versions may be affected as well.
NetFile contains a flaw that allows a remote cross site scripting attack. This flaw exists because because the application does not validate URLs that are returned in error messages for non-existant pages. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.
Currently, there are no known upgrades, patches, or workarounds available to correct this issue.