CVE-2019-19664 in FTP Server
Summary
by MITRE
A CSRF vulnerability exists in the Web Settings of Web File Manager in Rumpus FTP 8.2.9.1. Exploitation of this vulnerability can result in manipulation of Server Web settings at RAPR/WebSettingsGeneralSet.html.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 05/11/2025
The vulnerability identified as CVE-2019-19664 represents a critical cross-site request forgery flaw within the web-based administration interface of Rumpus FTP version 8.2.9.1. This issue specifically affects the Web File Manager component where users can configure server web settings through the RAPR/WebSettingsGeneralSet.html interface. The vulnerability stems from the absence of proper anti-CSRF mechanisms in the web application's authentication and authorization framework, creating a significant security gap that malicious actors can exploit to perform unauthorized actions on behalf of authenticated users.
The technical implementation of this vulnerability occurs when an authenticated user visits a malicious website or clicks on a crafted link that triggers unauthorized requests to the vulnerable Rumpus FTP server. The web application fails to validate the origin of requests or verify the presence of anti-CSRF tokens, allowing attackers to manipulate server configuration parameters through forged HTTP requests. This flaw operates at the application layer and specifically targets the web-based administrative interface, making it particularly dangerous as it can be exploited without requiring additional authentication credentials beyond those of a legitimate user.
The operational impact of this vulnerability extends beyond simple privilege escalation as it enables attackers to modify critical server configuration parameters that control web file management functionality. An attacker could potentially alter access controls, modify file permissions, change server behavior, or disable security features through the compromised web settings interface. The implications are severe as these changes could lead to unauthorized file access, data exfiltration, or complete compromise of the file management system. The vulnerability affects the integrity and availability of the web-based file management services, potentially causing service disruption or unauthorized data manipulation.
Security professionals should consider this vulnerability in the context of the CWE-352 weakness classification which specifically addresses cross-site request forgery vulnerabilities. The ATT&CK framework categorizes this issue under T1531 - Account Access Removal and T1078 - Valid Accounts, as exploitation could lead to unauthorized account manipulation or service disruption. Organizations using Rumpus FTP 8.2.9.1 should implement immediate mitigations including the deployment of anti-CSRF tokens in all web forms, implementation of proper request origin validation, and enforcement of SameSite cookie attributes. Additionally, network segmentation and access control measures should be strengthened to limit exposure of the vulnerable web interface to untrusted networks, while regular security assessments should be conducted to identify similar vulnerabilities in other web applications.