Security Advisory
Cerberus FTP Server version 11.2.8 and higher include a number of security-related fixes we had not documented. Normally, we disclose security issues when we release a fix for the issue. In this case, a single customer reported all of the issues, so we chose to delay disclosure until we had addressed all of the issues.
Scope
- Most of the vulnerabilities affect all editions of Cerberus FTP Server prior to 11.2.8, but a few affect only the Web Admin feature, which is present in Professional Edition and higher.
- All of these vulnerabilities affect only the HTTP/S protocol; they do not affect the SFTP, FTP, and FTPS protocols.
Known Affected Versions
- 11.x – releases prior to version 11.3.1 are affected
- 10.x – all releases are affected
- 9.0 and older are out of support, no longer receiving updates, and are likely affected
Mitigation
Version 11.3.1 and higher fully address these issues. We encourage Cerberus FTP Server administrators to upgrade to version 11.3.1 as soon as possible.
Credit
Our sincere thanks go out to the valued customer who reported these issues. Thank you for investing your time and resources in improving Cerberus FTP Server.
Fixes and Improvements
Sensitive Parameters Passed in URL
Web Admin and Web Client sometimes passed sensitive information as parameters in URLs. This could expose the data through server and application logs.
Where possible, we have removed sensitive data from URL query parameters. Where removal was not feasible, we have encrypted the data within the URL.
Configuration value for Web Admin Session Timeout
Web Admin enforced a single, hard-coded session timeout value for all administrators.
Now, session timeout is a configurable option for administrator accounts. Admin Console contains the new setting, under Server Manager / General / Connection Timeouts.
Password Information Disclosure
Web Admin relayed some configuration-related passwords from the server back to the client browser.
Web Admin now communicates passwords one-way only; from the client to the server. Password fields will appear to contain masked text if a password has been set, but the actual value is not present in the client-side HTML.
Web Admin Users do not Track Password History
Cerberus FTP Server did not track Admin Users’ password history, nor did it enforce history requirements during password updates for Admin users.
Cerberus FTP Server now maintains a password history for administrators and enforces the same policy defined for end-users, found in the Admin Console under User Manager / Policy / Password History.
Vulnerable MomentJS in Cerberus FTP Server
MomentJS, a javascript library used by Web Client and Web Admin to display dates and times, contained a denial of service vulnerability. We have updated MomentJS to address this vulnerability.
Localization Cross-Site Scripting
An attacker with proper privileges could insert malicious scripts into the translation table used to populate Web Client with localized messages.
Cerberus FTP Server now filters unsafe HTML from translated messages before inserting them into Web Client responses. The primary Cerberus administrator account may disable this function from Admin Console under Localization.
Exported CSV Formula Injection
When opening a CSV file, Excel may interpret cells as formula expressions. A properly-crafted formula could use Excel to run other scripts.
The Admin Console now escapes formula expressions when exporting user attributes to CSV.
Improper Cache-Control Allows Storage of Sensitive Data
Web Admin and Web Client sent permissive cache-control headers that allowed the browser to store potentially sensitive data. Using WebClient or Web Admin from a public or shared workstation could expose this data to another user with access to the browser cache.
Cerberus now disallows caching except for static, non-sensitive content.
Content Spoofing Utilizing URL Redirect Mechanism
Web Client and Web Admin passed plain-text messages through query parameters in HTTP redirect responses and used these strings to display information and error messages to the user. An attacker could craft Web Client and Web Admin URLs containing their own plain-text message that, when clicked, would display the attacker’s message as though it were a legitimate system message. Through phishing or social engineering, an attacker could use the legitimate-looking message to convince a user to take actions that compromise their security.
Web Client and Web Admin now encrypt these messages, preventing attackers from inserting their own messages into a redirect URL.