CrushFTP Directory Traversal Vulnerability Allowing SMB File Access

A directory traversal vulnerability has been identified in CrushFTP versions 9.x, 10.x prior to 10.8.4, and 11.x prior to 11.3.1. This vulnerability allows unauthorized access to files via the SMB protocol by injecting UNC pathnames, bypassing SecurityManager restrictions. The issue arises in the application's handling of file paths, enabling access to remote files or directories as if they were local.

Impact

Exploitation of this vulnerability could lead to unauthorized access and reading of files from remote SMB shares, potentially including sensitive information.

Reproduction

To reproduce this vulnerability, send a POST request to the '/WebInterface/function/' URI with the 'path' parameter set to a UNC path (e.g., '\\server\resource') instead of a local file path. The response will include a listing of the injected directory or file, indicating successful exploitation.

Remediation

Users are advised to update to the latest version of CrushFTP.