Skip to content

File System Bounds Escape

Moderate severity GitHub Reviewed Published Dec 16, 2020 in QuorumDMS/ftp-srv • Updated Feb 1, 2023

Package

npm ftp-srv (npm)

Affected versions

< 4.4.0

Patched versions

4.4.0

Description

Impact

Clients of FTP servers utilizing ftp-srv hosted on Windows machines can escape the FTP user's defined root folder using the expected FTP commands, for example, CWD and UPDR.

Background

When windows separators exist within the path (\), path.resolve leaves the upper pointers intact and allows the user to move beyond the root folder defined for that user. We did not take that into account when creating the path resolve function.

Screen Shot 2020-12-15 at 6 42 52 PM

Patches

None at the moment.

Workarounds

There are no workarounds for windows servers. Hosting the server on a different OS mitigates the issue.

References

Issues:
QuorumDMS/ftp-srv#167
QuorumDMS/ftp-srv#225

For more information

If you have any questions or comments about this advisory:
Open an issue at https://github.com/autovance/ftp-srv.
Please email us directly; security@autovance.com.

References

@matt-forster matt-forster published to QuorumDMS/ftp-srv Dec 16, 2020
Reviewed Feb 10, 2021
Published to the GitHub Advisory Database Feb 10, 2021
Published by the National Vulnerability Database Feb 10, 2021
Last updated Feb 1, 2023

Severity

Moderate

EPSS score

0.200%
(58th percentile)

Weaknesses

CVE ID

CVE-2020-26299

GHSA ID

GHSA-pmw4-jgxx-pcq9

Source code

No known source code

Credits

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.