www.rodneybeede.com "I would love to change the world, but they won't give me the source code" - unknown

Scanning your ftp server? - Last Modified 2012-09-18 19:27 UTC - Created 2012-09-18 19:27 UTC

So many organizations that care about their web presence will have security scans run against their web servers. I wonder though how many have thought to have their public ftp servers scanned as well?

I guess EA.com didn't. They have a XSS vulnerability that is served up via ftp.ea.com. Providing a URL such as ftp://ftp.ea.com/web/index.htm is perfectly valid for the major web browsers. This also opens up XSS that may be missed since most organizations don't think to scan the web content on them as well.

I did notify EA, but I never got a response back.