Security Advisory Description

Cerberus FTP Server administrators have the option to block end-users from uploading certain file types, identified by file name extension. When end-users attempt to upload or rename files, they encounter a permission error if the target name contains a blocked file extension. 

However, when unzipping files through the FTP Web Client, checking for blocked extensions is omitted. Users with unzip privileges may package files within a zip archive, then expand the contents into another folder.

This bypasses the extension blocking feature of Cerberus and allows end-users to upload files that are not allowed.

Fix

Cerberus FTP Server versions 11.0.5 and 10.0.20 fix this issue. After the fix, when the end-user unzips an archive from the FTP Web Client, the extension of each archived file is now checked before being expanded. Cerberus now reports an error to the end-user for each file that was blocked during unzip. Non-blocked files within the same zip archive are expanded normally.

Scope

  • This issue only impacts FTP Web Client or HTTP(S) listeners. FTP(S), SFTP, and other protocols are unaffected, as they do not support unzipping.
  • This issue only impacts Cerberus FTP Server Enterprise edition. Web Client is an Enterprise feature. Other editions are unaffected.

Known Affected Versions

  • 11.0 releases prior to 11.0.5
  • 10.0 releases prior to 10.0.20
  • 9.0 and earlier are also affected. These versions are out of support and no longer receive updates.

Mitigation

Cerberus Administrators are urged to upgrade to the fixed versions or higher as soon as possible. In the meantime, Cerberus Administrators may mitigate this vulnerability through configuration:

  • Remove unzip privileges from end-users

Credit

Special thanks to security researcher Robert Newman from Context Information Security (now Accenture) for discovering and reporting this vulnerability