Security Advisory Description

When customers preview SVG files in the Cerberus FTP Server Web Client, it executes any scripts embedded within the SVG file in the context of the end-user’s session. This exposes the user to malicious scripts that may hijack the user’s session and perform actions on their behalf.

Fix

Cerberus FTP Server versions 11.0.4 and 10.0.19 contain two changes to mitigate this threat:

  • The default mime-type for SVG is now ‘application/octet-string’. This forces browsers to download SVG content instead of rendering it inline. The end-user may still open the downloaded file, but any scripts will be executed outside the Cerberus browser session.
  • When the SVG mime-type is still ‘image/svg+xml’, Cerberus will allow preview but will render the SVG content within a restricted ‘sandbox’ iframe. This prevents all script execution during preview.

Important Note: The default mime-type only affects new Cerberus installations; Administrators of existing Cerberus deployments must modify their deployment’s mime-types to force download of SVG content.

Scope

  • This vulnerability impacts Cerberus FTP Server Enterprise deployments using HTTP(S) listeners where SVG files are allowed to be uploaded and downloaded.
  • Non-Enterprise editions of Cerberus are not affected, as the HTTP(S) protocols are only a feature of the Enterprise edition.
  • Other transfer protocols, such as FTP, SFTP, and FTPS, are not affected, as they do not render SVG content.

Known Affected Versions

  • 11.0 releases prior to 11.0.4
  • 10.0 releases prior to 10.0.19
  • 9.0 and earlier are also affected. These versions are out of support and no longer receive updates.

 

Mitigation

This issue is addressed in versions 11.0.4 and 10.0.19. As always, Cerberus Administrators are urged to upgrade to these versions or higher as soon as possible.

Until the upgrade can be completed, Cerberus Administrators may mitigate this vulnerability through configuration detailed below:

  • Remove the SVG mime-type from Cerberus configuration. This forces browsers to download SVG files instead of rendering them in-place.
  • Add SVG files to the list of blocked file extensions. This will prevent new SVG files from being uploaded.

Credit

Special thanks to security researcher Robert Newman from Context Information Security (now Accenture) for discovering and reporting this vulnerability.