Описание
Server-Side Request Forgery in ftp-srv
Background
The FTP protocol creates two connections, one for commands and one for transferring data. This second data connection can be created in two ways, on the server by sending the PASV command, or on the client by sending the PORT command.
The PORT command sends the IP and port for the server to connect to the client with.
Issue
Since the client can send an arbitrary IP with the PORT command, this can be used to cause the server to make a connection elsewhere.
Patches
- fix: disallow PORT connections to alternate hosts: e449e75219d918c400dec65b4b0759f60476abca
Deprecation notices have been published for older versions.
Workarounds
Blacklisting the FTP Command PORT will prevent the server from exposing this behaviour through active connections until a fix is applied.
References
https://www.npmjs.com/advisories/1445
Credits
Thank you to; @trs for fixing it @andreeleuterio for reporting it to us for an anonymous user (Vincent) through the NPM platform @quiquelhappy for bringing it to our attention after it slipped through the cracks during Christmas
For more information
If you have any questions or comments about this advisory:
- Open an issue at https://github.com/autovance/ftp-srv
- Email us directly; security@autovance.com
Ссылки
- https://github.com/autovance/ftp-srv/security/advisories/GHSA-jw37-5gqr-cf9j
- https://nvd.nist.gov/vuln/detail/CVE-2020-15152
- https://github.com/autovance/ftp-srv/commit/5508c2346cf23b24c20070ff2e8a47c647d3d5b5
- https://github.com/autovance/ftp-srv/commit/e449e75219d918c400dec65b4b0759f60476abca
- https://github.com/autovance/ftp-srv/commit/fb32b012c3baf48ee804e1dc36544cbba70b00d3
- https://www.npmjs.com/advisories/1445
- https://www.npmjs.com/package/ftp-srv
Пакеты
ftp-srv
>= 1.0.0, < 2.19.6
2.19.6
ftp-srv
>= 3.0.0, < 3.1.2
3.1.2
ftp-srv
>= 4.0.0, < 4.3.4
4.3.4
Связанные уязвимости
ftp-srv is an npm package which is a modern and extensible FTP server designed to be simple yet configurable. In ftp-srv before versions 2.19.6, 3.1.2, and 4.3.4 are vulnerable to Server-Side Request Forgery. The PORT command allows arbitrary IPs which can be used to cause the server to make a connection elsewhere. A possible workaround is blocking the PORT through the configuration. This issue is fixed in version2 2.19.6, 3.1.2, and 4.3.4. More information can be found on the linked advisory.