CVE-2019-19668 in FTP Server
Summary
by MITRE
A CSRF vulnerability exists in the File Types component of Web File Manager in Rumpus FTP 8.2.9.1 that allows an attacker to add or delete the file types that are used on the server via RAPR/TriggerServerFunction.html.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 05/11/2025
The vulnerability described in CVE-2019-19668 represents a critical cross-site request forgery flaw within the Rumpus FTP 8.2.9.1 web file management interface. This issue specifically targets the File Types component of the Web File Manager system, which serves as a crucial administrative interface for managing server file associations and handling file type configurations. The vulnerability resides in the RAPR/TriggerServerFunction.html endpoint, which processes administrative commands without proper validation of the request origin or authenticity. This allows malicious actors to manipulate the server's file type configurations through crafted web requests that appear to originate from legitimate administrative sessions.
The technical exploitation of this CSRF vulnerability occurs when an authenticated user visits a malicious website or clicks on a compromised link that triggers unauthorized actions against the vulnerable Rumpus FTP server. The flaw stems from the absence of anti-CSRF tokens or other validation mechanisms within the RAPR/TriggerServerFunction.html interface, making it possible for attackers to perform unauthorized file type modifications. The vulnerability can be leveraged to add malicious file type associations that could lead to arbitrary code execution when users download or access files, or to delete critical file type configurations that disrupt legitimate server operations. This particular implementation lacks proper session validation and request origin verification, creating a pathway for attackers to manipulate server-side file handling configurations.
The operational impact of this vulnerability extends beyond simple administrative disruption to potentially compromise the entire server security posture. Attackers could modify file type associations to execute malicious code when users access certain file types, effectively creating a backdoor through file handling mechanisms. The ability to delete critical file type configurations could render the server unable to properly handle specific file types, causing denial of service conditions or forcing administrators to manually restore configurations. This vulnerability particularly affects environments where Rumpus FTP serves as a primary file management solution, as it provides attackers with a persistent means to manipulate server file handling behaviors. The attack vector typically involves social engineering campaigns where users are tricked into visiting malicious sites that automatically submit requests to the vulnerable FTP server.
Security mitigations for this vulnerability should focus on implementing comprehensive anti-CSRF protections within the affected web interface. Organizations must ensure that all administrative functions in the RAPR/TriggerServerFunction.html endpoint require proper validation tokens that tie requests to specific user sessions and origins. The implementation of strict origin validation and request verification mechanisms would prevent unauthorized requests from being processed. Additionally, administrators should consider implementing network-level protections such as web application firewalls that can detect and block suspicious administrative requests. Regular security audits of web interfaces should be conducted to identify similar CSRF vulnerabilities in other components, as this represents a common class of vulnerability that affects many web applications. The fix should align with established security practices that prevent unauthorized modifications to critical system configurations, including the implementation of proper access controls and authentication validation. Organizations using Rumpus FTP should also consider upgrading to newer versions where these CSRF protections have been implemented according to industry standards such as those recommended by CWE-352 and ATT&CK techniques related to privilege escalation and command injection.