Monsta FTP Unauthenticated Arbitrary File Upload Vulnerability Allowing Remote Code Execution

A vulnerability exists in Monsta FTP versions through 2.11 that allows unauthenticated users to upload arbitrary files. This issue can be exploited by uploading a specially crafted file from a malicious (S)FTP server, which could then be used to execute arbitrary code on the server.

Impact

Exploitation of this vulnerability allows for pre-authentication remote code execution on the server where Monsta FTP is installed.

Reproduction

The vulnerability can be reproduced by sending a POST request to '/mftp/application/api/api.php' with a JSON payload that includes the 'connectionType' set to 'sftp', and 'actionName' set to 'downloadFile'. The 'context' parameter must specify a 'remotePath' pointing to a file on the attacker's SFTP server and a 'localPath' where the file will be saved on the Monsta FTP server. Monsta FTP will download the file and overwrite any existing file at the specified path.

Remediation

Users can upgrade to Monsta FTP version 2.11.3 or later, which addresses this vulnerability.