Security Advisory Description
Cerberus FTP Server Enterprise Edition prior to versions 11.0.1 and 10.0.17 are vulnerable to a cross-site scripting (XSS) attack on Cerberus’ public share page. This XSS vulnerability allows a malicious public share to insert arbitrary JavaScript into the page.
When a user creates a public share of a folder, the generated URL contains a unique key followed by a path. The path portion of the URL is used to support continued browsing through nested folders within the share. JavaScript code within the public share page uses the path to dynamically update folders and files displayed to the end-user. This JavaScript code implicitly trusts the path portion of the URL, failing to sanitize it for HTML and JavaScript content. Consequently, the JavaScript can be manipulated through a malicious URL to render arbitrary HTML and JavaScript into the page.
To address this issue, the public share page’s JavaScript code now sanitizes all text received through the URL.
Scope
- This vulnerability impacts Cerberus FTP Server Enterprise deployments using HTTP(S) listeners with Public Sharing enabled.
- Non-Enterprise editions of Cerberus are not affected, as the HTTP(S) protocols are only a feature of the Enterprise edition.
- Other transfer protocols, such as FTP, SFTP, and FTPS, are unaffected.
Known Affected Versions
- 11.0 releases prior to 11.0.1
- 10.0 releases prior to 10.0.17
- 9.0 and older are out of support and no longer receiving updates. It is unknown
whether issues in this advisory affect them.
Mitigation
This issue is addressed in versions 11.0.1 and 10.0.17. Cerberus Administrators are encouraged to upgrade to these versions or higher as soon as possible.
Until upgrade is complete, Cerberus administrators may mitigate by disabling all public sharing or by removing the Public Share permissions from individual virtual directories.
- All public sharing may be disabled through the admin console at User Manager > Public Shares > Disable All Public Sharing.
- Public Upload Share and Public Download Share permissions may be edited through User Manager > User or Group > Virtual Directories.
Credit
Special thanks to security researcher Quinn Zapata of Avalara for discovering and reporting this vulnerability.