Security Advisory Description
Password reset links and public share links are vulnerable to HTTP host header attacks in older versions of Cerberus FTP Server.
When a user requests to reset their password or to create a public share, Cerberus relies on the HTTP host header to create a public link. The HTTP host header is controlled by the user and is included in the HTTP request from the client. As a security best practice, user input should always be considered unsafe and never trusted without proper validation. Our mistake was in trusting the HTTP host header value, resulting in two separate vulnerabilities.
In the first vulnerability, a malicious, authenticated Cerberus user can change the generated public URL of a shared file or folder to one that redirects the URL to an attacker’s domain.
In the second and more serious vulnerability, an unauthenticated attacker can cause Cerberus to send a malicious password reset email with a password reset link containing a domain controlled by the attacker. This does not require an authenticated Cerberus user, although it does require the attacker to know the username, first name, and last name of a valid Cerberus user. It also requires that password resets are enabled by the administrator.
We rewrote our code that handles constructing public URLs to validate that the HOST header value provided by the HTTP client is included in an “allow list” of acceptable domains, host names, or IP addresses. This fixes the specific issues with password reset links and public share links and will prevent any future host header attack vulnerabilities.
Please refer to this FAQ entry on how to update the “Client Domain Allow List.”
Known Affected versions
- 10.0 releases prior to 10.0.17
- 9.0 and older are out of support and no longer receiving updates. It is unknown
whether issues in this advisory affect them.
Mitigation
These vulnerabilities were addressed in Cerberus FTP Server 11.0 and 10.0.17. Older version of Cerberus FTP Server are no longer maintained and will not be seeing any security or bug fixes. Administrators are encouraged to upgrade to 11.0.1 or higher as soon as possible.
Credit
Special thanks to security researcher Robert Newman from Context Information Security (now Accenture) for discovering and reporting these vulnerabilities.