We will be adding more features with every minor release until web administration mirrors the local graphical user interface. Most server functions can be controlled through web administration. The web administration feature has nearly the same capabilities as the desktop user interface. The administrator can also control the server through web administration. Primary admin usernames and passwords are also used for basic authentication when using the SOAP web services API to access the server. With easy accessibility, server administrators only need a web browser, or through the desktop Cerberus FTP Server Graphical User Interface (GUI) when logged into the server.Ĭerberus exposes several APIs for controlling all aspects of the server using SOAP web services for software developers. Special thanks to security researcher Robert Newman from Context Information Security for discovering and reporting these vulnerabilities.Cerberus FTP Server’s remote settings page allows the administrator to easily configure web administration access, and remote Application Programming Interface (API) access to Cerberus FTP Server. Administrators are encouraged to upgrade to 11.0.1 or higher as soon as possible. Older version of Cerberus FTP Server are no longer maintained and will not be seeing any security or bug fixes. These vulnerabilities were addressed in Cerberus FTP Server 10.0.16 and 9.0.17.Ĭerberus FTP Server 11.0 is not susceptible to these vulnerabilities. 8.0 and older are no longer supported or maintained and are likely susceptible to this vulnerability.This addressed the file extension blocking bypass vulnerability and had the added benefit of allowing Cerberus to easily handle and process paths with file names that end in a period. We rewrote our file handling code to properly escape file paths with filenames ending in a period. During our testing, we actually discovered that most applications couldn’t open or access files (including all of the popular browsers and file transfer clients we tested) that ended in a period. Without special handling in Cerberus, the operating system ignores the trailing backslash. However, the Windows operating system would actually create the file without the period. The practical implication of this behavior is that a malicious user could bypass our file extension blocking mechanism.įor example, if an administrator added “.exe” as a file extension to block from uploads, a user could upload “badfile.exe.” and it would be allowed since “.exe.” doesn’t match “.exe”. ![]() Basically, Windows will ignore the period at the end of the file path when interpreting the path. Designed to use very little CPU and memory, the server boasts a user-friendly interface that can be easily hidden or accessed from the system tray. Passing that file, or a path to that file, to a Windows API call will result in the operating system trying to open or create the file without the period at the end. You might tell the operating system to create a file called “badfile.exe.”, but it will actually create “badfile.exe” – the same file, but without the period at the end. Cerberus FTP Server provides powerful, multi-threaded FTP server performance without sacrificing ease-of-use. To illustrate this, passing a file named “badfile.exe.” to a Windows API call results in unexpected behavior. It turns out that file names that end in a period require special handling by the Windows operating system. If you are prompted that an Unidentified Program wants to access your computer click Yes. Double-click or run the CerberusInstall64.exe self-extracting installer. ![]() The second issue was a little more complicated. Download the latest version of Cerberus FTP Server from our downloads page. Handling File Names That End in a Period (fixed in 10.0.16) ![]() ![]() This vulnerability resulted in our team re-evaluating and re-designing how we construct our SMTP headers to prevent this and any future header injection vulnerabilities. A practical example of how this flaw could be exploited would be to add a special “reply-to” header to the public share email. The first issue was an email header bypass vulnerability. We committed the classic mistake of not properly sanitizing user input, and that omission could allow a malicious, authenticated user to craft a subject line that added additional SMTP headers to outgoing public share email messages. To try a fully functional trial of Cerberus FTP Server 13 free for 25 days, visit About Redwood Software Redwood Software is the leader in full stack automation for mission-critical business processes. Email Header Bypass Vulnerability (fixed in 10.0.15) We recently released Cerberus FTP Server 10.0.16, and we wanted to elaborate on two security issues we fixed in that release and the previous 10.0.15 release.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |