basic-ftp FTP Command Injection Vulnerability via CRLF Sequences

A command injection vulnerability has been identified in basic-ftp, a Node.js FTP client, in version 5.2.0. The issue arises from improper handling of file path parameters, which can be exploited by injecting CRLF sequences. This injection allows attackers to manipulate FTP commands sent to the server, potentially leading to unauthorized file deletions, directory modifications, or exploitation of certain FTP server features, such as executing system commands on the server.

Impact

Exploitation of this vulnerability allows for arbitrary FTP command injection, with potential consequences including unauthorized file deletions, directory manipulations, and in some cases, executing system commands on the FTP server.

Reproduction

The vulnerability can be reproduced by using basic-ftp version 5.2.0 and sending crafted file path parameters that include CRLF sequences. This can be done by creating a mock FTP server that logs received commands, then using a basic-ftp client to connect to the server and execute commands with injected CRLF sequences in the file paths. The mock server will demonstrate how the injected commands are received as separate FTP commands, confirming the exploitation of the vulnerability.

Remediation

Users can upgrade to basic-ftp version 5.2.1, which addresses the vulnerability by rejecting CRLF injection attempts in file path parameters. For those unable to upgrade, an immediate workaround is to manually sanitize FTP path inputs by removing or rejecting control characters before using them with basic-ftp commands.