CVE-2019-19663 in FTP Server
Summary
by MITRE
A CSRF vulnerability exists in the Folder Sets Settings of Web File Manager in Rumpus FTP 8.2.9.1. This allows an attacker to Create/Delete Folders after exploiting it at RAPR/FolderSetsSet.html.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 05/11/2025
The vulnerability identified as CVE-2019-19663 represents a critical cross-site request forgery flaw within the Rumpus FTP 8.2.9.1 web file manager interface. This issue specifically targets the Folder Sets Settings functionality, creating a significant security risk for organizations relying on this FTP server implementation. The vulnerability resides in the RAPR/FolderSetsSet.html endpoint which fails to properly validate or authenticate requests originating from unauthorized sources, thereby exposing the system to malicious manipulation attempts.
The technical implementation of this CSRF vulnerability stems from the absence of proper anti-CSRF tokens or validation mechanisms within the web interface. When authenticated users navigate to the Folder Sets Settings page, the application does not require a unique, unpredictable token that would verify the legitimacy of each request. Attackers can craft malicious web pages or exploit existing user sessions to execute unauthorized folder creation or deletion operations without proper authorization. This flaw operates at the application layer and specifically affects the web-based administrative interface rather than the core FTP protocol itself, making it particularly dangerous for remote exploitation scenarios.
The operational impact of this vulnerability extends beyond simple unauthorized file manipulation, as it can enable attackers to fundamentally alter the directory structure and access controls within the FTP environment. An attacker who successfully exploits this vulnerability can create malicious folder structures that may serve as persistent backdoors, delete critical organizational folders, or disrupt normal file management operations. The consequences can range from data loss and system disruption to potential privilege escalation within the FTP server environment, depending on the administrative permissions of the compromised user account. This vulnerability particularly affects organizations that rely on web-based management interfaces for their FTP infrastructure, as it eliminates the need for direct system compromise.
Organizations should immediately implement mitigations including the deployment of web application firewalls that can detect and block suspicious cross-site requests, enabling proper CSRF token validation mechanisms, and restricting administrative access to trusted networks only. The implementation of the Content Security Policy header can provide additional protection against unauthorized script execution, while regular security audits of web interfaces should be conducted to identify similar vulnerabilities. According to CWE standards, this vulnerability maps to CWE-352 which specifically addresses Cross-Site Request Forgery, and aligns with ATT&CK technique T1078 which covers Valid Accounts and T1566 which covers Phishing. Administrators should also consider implementing multi-factor authentication for administrative access and regularly updating the Rumpus FTP software to ensure all known vulnerabilities are patched. The vulnerability underscores the critical importance of validating all user inputs and implementing robust session management controls in web applications to prevent unauthorized operations.