Authenticated User Remote Full Path Disclosure Vulnerability fixed in Cerberus FTP Server 13.2.1

Cerberus FTP Server versions prior to 13.2.1 are vulnerable to an authenticated user full path disclosure in the Web application of Cerberus FTP server (CVE-2023-50452). An authenticated user is able to use the “Zip or Unzip” functionality in order to disclose the full path of the location where files are stored for that user.  We have been unable to find evidence of active exploitation of this vulnerability or any proof-of-concept implementations. However, given a secondary exploit that requires knowledge of where files are being placed onto a computer to function, this issue may provide an attack surface to a hostile authenticated user.

Scope

  • Only WebClient, which uses the HTTP/S protocols, are affected by this vulnerability; FTP, SFTP, and FTPS are unaffected.
    • Requiring a user with virtual directory permissions of “zip” and/or “unzip”
  • Only the Enterprise Editions of Cerberus FTP Server are affected, as the HTTP/S protocol feature is only included in the Enterprise Editions.

Known Affected Versions

  • 13.0 releases prior to 13.2.1, for the Enterprise editions
  • 12.0 releases including 12.11.7 Enterprise edition are also affected. These versions are out of support and no longer receive updates.

Mitigation

This issue is addressed in version 13.2.1. As always, Cerberus Administrators are urged to upgrade to these versions or higher as soon as possible. If this is not possible, it is recommended to remove access to zip functionality from every virtual directory for each web client user.  This can be done by accessing the user accounts, navigating to the virtual directories tab, and editing each virtual directory to uncheck the “zip” and “unzip” permissions.

Credit

This vulnerability was discovered and reported by Joran Lereec from Excube Cyber Security. Special thanks for their efforts.