SFTPGo Command Injection Vulnerability in Rsync Feature Allows Unauthorized File Access or Modification

A command injection vulnerability has been identified in SFTPGo, an open-source file transfer solution, versions 0.9.5 through 2.6.4. The issue arises from insufficient sanitization of user-provided 'rsync' commands, allowing authenticated remote users to manipulate files with the same permissions as the SFTPGo server process. This vulnerability is particularly concerning because it could be exploited to read or write files on the server.

Impact

Exploitation of this vulnerability could lead to unauthorized file access or modification, allowing users to read or write files with the permissions of the SFTPGo server process.

Reproduction

To reproduce this vulnerability, an authenticated user can send a crafted 'rsync' command that includes unauthorized options. The absence of proper input validation allows these options to be executed, potentially leading to unauthorized file access or modification.

Remediation

Users are advised to upgrade to SFTPGo version 2.6.5 or later, where this vulnerability has been addressed by implementing proper checks on the 'rsync' command arguments.