CVE-2019-19660 in FTP Server
Summary
by MITRE
A CSRF vulnerability exists in the Web File Manager's Network Setting functionality of Rumpus FTP Server 8.2.9.1. By exploiting it, an attacker can manipulate the SMTP setting and other network settings via RAPR/NetworkSettingsSet.html.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 05/11/2025
The vulnerability identified as CVE-2019-19660 represents a critical cross-site request forgery flaw within the Rumpus FTP Server version 8.2.9.1 web interface. This weakness specifically targets the Network Setting functionality of the Web File Manager component, creating a significant security risk for organizations relying on this FTP server implementation. The vulnerability resides in the RAPR/NetworkSettingsSet.html endpoint which processes network configuration changes without proper authentication verification or anti-CSRF token validation, allowing malicious actors to execute unauthorized operations against the server's network configuration parameters.
The technical exploitation of this CSRF vulnerability occurs through the manipulation of network settings including SMTP configuration parameters and other critical network components. Attackers can craft malicious web pages or emails containing embedded requests that, when visited by an authenticated user, automatically submit requests to modify the server's network settings. This flaw stems from the absence of proper CSRF protection mechanisms within the web application's request processing flow, particularly in the network settings management interface. The vulnerability operates at the application layer and leverages the trust relationship between the web browser and the server, where authenticated sessions are automatically included in requests without proper validation of the request source or authenticity.
The operational impact of this vulnerability extends beyond simple configuration changes, as manipulation of SMTP settings can potentially enable attackers to redirect email notifications, compromise email-based authentication mechanisms, or establish unauthorized communication channels. Network settings modifications could also affect firewall configurations, DNS resolution, or other critical connectivity parameters that may disrupt service availability or create backdoor access points. This vulnerability represents a significant risk for organizations using Rumpus FTP Server in enterprise environments where network configuration changes can affect multiple systems and services. The impact is particularly severe when considering that many organizations rely on FTP servers for file transfer operations, and unauthorized network configuration changes could lead to data exfiltration, service disruption, or further compromise of the network infrastructure.
Security mitigations for this vulnerability should focus on implementing robust anti-CSRF protection mechanisms including the use of unique, unpredictable tokens for each user session that must be validated on every state-changing request. Organizations should also consider implementing proper request origin validation, session management controls, and regular security assessments of web-based administrative interfaces. The vulnerability aligns with CWE-352, which specifically addresses Cross-Site Request Forgery, and maps to ATT&CK technique T1078.004 for Valid Accounts and T1566.001 for Phishing, as the attack vector typically involves social engineering to trick users into visiting malicious pages. Additionally, organizations should implement network segmentation, disable unnecessary web interfaces, and regularly update their FTP server implementations to address known vulnerabilities. The remediation process requires immediate patching of the Rumpus FTP Server to version 8.2.9.2 or later, which includes proper CSRF protection mechanisms, along with comprehensive security auditing of all web-based administrative interfaces to identify similar vulnerabilities that may exist in other components of the system.