Executive Summary

[{'type': 'paragraph', 'content': 'The vulnerability exists in the basic-ftp FTP client library for Node.js, specifically in versions prior to 5.2.0 within the downloadToDir() method.'}, {'type': 'paragraph', 'content': 'A malicious FTP server can send directory listings containing filenames with path traversal sequences such as "../". These sequences are not properly sanitized by the client, which causes files to be written outside the intended download directory.'}, {'type': 'paragraph', 'content': "This means that when the client downloads files, it may inadvertently overwrite or create files in arbitrary locations on the user's filesystem."}, {'type': 'paragraph', 'content': 'The issue was fixed in version 5.2.0 by adding validation that strips path components from filenames, ensuring files are only saved within the intended directory.'}] [3, 2]

Useful 0 Not Useful 0

Impact Analysis

This vulnerability allows a malicious FTP server to write files to arbitrary locations on the client system without any privileges or user interaction.

• An attacker can overwrite critical system files if the client has write permissions.
• It can lead to remote code execution by placing malicious files in sensitive locations.
• The integrity and availability of the client system can be severely compromised.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability involves the `basic-ftp` client library improperly handling filenames with path traversal sequences received from an FTP server. Detection involves identifying if your system uses a vulnerable version of the `basic-ftp` library (prior to 5.2.0) and monitoring FTP traffic or logs for suspicious filenames containing sequences like "../".'}, {'type': 'paragraph', 'content': 'You can check the version of the `basic-ftp` package in your Node.js project by running the command:'}, {'type': 'list_item', 'content': 'npm list basic-ftp'}, {'type': 'paragraph', 'content': 'To detect exploitation attempts or suspicious activity, you can monitor FTP client logs or network traffic for directory listings containing filenames with path traversal sequences. For example, using network packet capture tools like tcpdump or Wireshark, you can filter FTP LIST commands and inspect filenames for "../" sequences.'}, {'type': 'list_item', 'content': "tcpdump -i <interface> -A port 21 | grep -E '\\.\\./'"}, {'type': 'paragraph', 'content': 'Additionally, reviewing application logs for warnings about unsafe filenames (if logging is enabled as per the patched version) can help detect attempts to exploit this vulnerability.'}] [3]

Useful 0 Not Useful 0

Mitigation Strategies

The primary mitigation is to upgrade the `basic-ftp` library to version 5.2.0 or later, where the vulnerability is patched by sanitizing filenames using the `basename()` function to prevent path traversal.

If upgrading immediately is not possible, avoid using the `downloadToDir()` method with untrusted FTP servers, as this method is vulnerable to path traversal attacks.

Ensure that your FTP client or application logs warnings about unsafe filenames and monitor these logs for suspicious activity.

Review and restrict filesystem permissions for the directories used by the FTP client to minimize potential damage from exploitation.

Useful 0 Not Useful 0