CVE-2019-19666 in FTP Server
Summary
by MITRE
A CSRF vulnerability exists in the Event Notices Settings of Web File Manager in Rumpus FTP 8.2.9.1. An attacker can create/update event notices via RAPR/EventNoticesSet.html.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 05/11/2025
The vulnerability identified as CVE-2019-19666 represents a cross-site request forgery flaw within the Web File Manager component of Rumpus FTP version 8.2.9.1. This security weakness specifically targets the Event Notices Settings functionality, which allows administrators to configure automated notifications for various file system events. The vulnerability stems from the absence of proper authentication checks and anti-CSRF protections in the RAPR/EventNoticesSet.html endpoint, which serves as the interface for creating and modifying event notifications. Attackers can exploit this flaw by crafting malicious web pages or email attachments that, when visited by an authenticated administrator, automatically submit requests to modify the event notice settings without the user's knowledge or explicit consent.
The technical implementation of this vulnerability demonstrates a classic CSRF attack vector where the application fails to validate the origin of requests or implement proper anti-CSRF tokens. When an administrator visits a malicious page containing embedded requests to the EventNoticesSet.html endpoint, the browser automatically submits the request with the administrator's credentials and session information. This occurs because the web application does not require a unique, unpredictable token that ties the request to the user's current session, nor does it validate that the request originated from the legitimate administrative interface. The vulnerability exists at the application layer and affects the authentication and authorization mechanisms that should protect sensitive configuration settings. According to CWE classification, this represents a CWE-352 Cross-Site Request Forgery vulnerability, which is categorized under the broader category of authentication and authorization flaws.
The operational impact of this vulnerability is significant for organizations using Rumpus FTP 8.2.9.1, as it provides attackers with the ability to manipulate critical system notifications and potentially gain unauthorized access to sensitive information. An attacker could modify event notices to redirect notifications to malicious addresses, disable important alerts, or create false notifications that could confuse system administrators. This could lead to missed security incidents, unauthorized access to files, or the establishment of persistent backdoors through the manipulation of automated notification systems. The vulnerability is particularly dangerous because it targets administrative settings that control how the system communicates security events, potentially allowing attackers to remain undetected while compromising the integrity of the file management system. From an ATT&CK framework perspective, this vulnerability maps to T1078 Valid Accounts and T1566 Phishing, as it leverages authenticated sessions to perform unauthorized actions and can be delivered through social engineering campaigns.
Organizations should immediately implement mitigations including the deployment of anti-CSRF tokens for all administrative endpoints, implementation of proper referer header validation, and enforcement of same-site cookies to prevent cross-origin requests. The most effective immediate solution involves updating to a patched version of Rumpus FTP that addresses this vulnerability, as the vendor has likely released a security update. Additionally, network administrators should consider implementing web application firewalls that can detect and block suspicious requests to administrative endpoints, particularly those attempting to modify configuration settings. Access controls should be reviewed to ensure that only authorized personnel have access to administrative interfaces, and multi-factor authentication should be implemented where possible. Regular security assessments should include testing for CSRF vulnerabilities in all administrative interfaces, and security awareness training should be provided to administrators to recognize potential phishing attempts that could exploit this vulnerability. The remediation process should also include monitoring system logs for unauthorized configuration changes that might indicate exploitation attempts, as the vulnerability could be used to establish persistent access to the system through manipulation of notification settings.