Security issue fixed in version 22.1.1 of file transfer software

CompleteFTP path traversal flaw allowed attackers to delete server files

UPDATED A security vulnerability in file transfer software CompleteFTP allowed unauthenticated attackers to delete arbitrary files on affected installations.

Developed by EnterpriseDT of Australia, CompleteFTP is a proprietary FTP and SFTP server for Windows that supports FTPS, SFTP, and HTTPS.

A security researcher with the handle rgod discovered a flaw in the HttpFile class that results from the lack of proper validation of a user-supplied path prior to using it in file operations.

Read more of the latest enterprise security news

“This vulnerability allows remote attackers to delete arbitrary files on affected installations of EnterpriseDT CompleteFTP server,” a security advisory explains.

“An attacker can leverage this vulnerability to delete files in the context of SYSTEM.”

Patch released

The issue was assigned CVE-2022-2560 and was fixed in CompleteFTP version 22.1.1.

“We haven’t seen any indication of this vulnerability being exploited,” an EnterpriseDT spokesperson told The Daily Swig.

“We often receive reports from security researchers, and we value their efforts in highlighting vulnerabilities they find.”

They added: “This particular vulnerability was an easy fix, so there was no need for the security researcher to be involved in developing a solution.”

The release includes other security enhancements in the form of SHA-2 cryptographic hash function for RSA signatures and a new format for PuTTY private keys.

This article has been updated to include additional comment from EnterpriseDT.

YOU MIGHT ALSO LIKE GitHub Actions workflow flaws provided write access to projects including Logstash