Security Advisory Description
Cerberus FTP Server Enterprise Edition prior to versions 11.1.0 and 10.0.23 allow underprivileged WebClient users to view file names and folder names. Only the names of the files are exposed; the file contents are not exposed. A malicious user may be able to leverage sensitive information exposed in the file and folder names.
Details
Cerberus FTP Server’s administrators grant fine-grained privileges on virtual directories to control the information and functions available to end-users. “List File”, “List Folder” and “Display Hidden” privileges control whether a user may view file names, folder names, and hidden files.
WebClient gives end-users the ability to recursively search a virtual directory. The recursive search, however, does not properly honor the “List File”, “List Folder”, or “Display Hidden” permissions, allowing users to view file and folder names they should not be allowed to see.
“Blind Upload” is the most common use-case affected by this vulnerability. In this case, many users are given upload privileges to a single location, but are not granted the ability to list files or folders.
Scope
- Only WebClient, which uses the HTTP/S protocols, are affected by this vulnerability; FTP, SFTP, and FTPS are unaffected.
- Only Enterprise Edition of Cerberus FTP Server is affected, as the HTTP/S protocol feature is only included in the Enterprise Edition.
- File contents are never exposed; File download still correctly adheres to security privileges. Only the names of files/folders are exposed.
Known Affected Versions
- 11.0 releases prior to 11.1.0
- 10.0 releases prior to 10.0.23
- 9.0 and older are out of support and no longer receiving updates. Out of support versions have not been tested, but they are likely affected.
Mitigation
This issue is addressed in versions 11.1.0 and 10.0.23. The recursive search now correctly follows the permissions granted by the virtual directory as it generates search results. Cerberus Administrators are encouraged to upgrade to these versions or higher as soon as possible.
Cerberus administrators may mitigate this vulnerability by avoiding shared “blind upload” folders. Instead, use distinct upload folders for each user.
Credit
This bug was discovered and reported by one of our valued customers. Special thanks for their efforts.