CVE-2022-22836

Vulnerability

CoreFTP Server versions before build 727 are vulnerable to a directory traversal vulnerability exploitable via an authenticated HTTP PUT request. By injecting ../ sequences in the request path, an attacker can write files outside the intended directory, despite being limited by authentication. The vulnerability was fixed in build 727, but the first public fix announcement appears to be for build 778 [1].

Exploitation

An attacker must first have valid credentials to authenticate with the CoreFTP Server. Once authenticated, the attacker sends a crafted HTTP PUT request containing ../ sequences in the resource path, bypassing the intended directory restriction and allowing data to be written to arbitrary locations on the server filesystem.

Impact

Successful exploitation allows an authenticated attacker to create files anywhere on the server's filesystem. This could lead to arbitrary code execution if the attacker writes executable files (e.g., a script or binary) to a location that will be executed, or to data corruption and privilege escalation. The vulnerability does not require any user interaction beyond the initial authentication step.

Mitigation

The vulnerability is fixed in CoreFTP Server version 727 and later. Users are strongly urged to upgrade to build 727 (minimum). The latest available build is 778 [1]. No workarounds are documented in the available references.