CVE-2020-11706 in ProVide
Summary
by MITRE
An issue was discovered in ProVide (formerly zFTPServer) through 13.1. The Admin Interface allows CSRF for actions such as: Change any username and password, admin ones included; Create/Delete users; Enable/Disable Services; Set a rogue update proxy; and Shutdown the server.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 05/09/2025
The vulnerability CVE-2020-11706 represents a critical cross-site request forgery flaw within ProVide FTP server software version 13.1 and earlier. This issue resides in the administrative interface component that governs the server's configuration and user management capabilities. The flaw stems from the absence of proper anti-CSRF mechanisms in the web-based administrative console, allowing malicious actors to execute unauthorized administrative actions through crafted web requests. The vulnerability affects the software's authentication and authorization controls, particularly when administrators interact with the system through web browsers.
The technical implementation of this CSRF vulnerability occurs because the ProVide administrative interface does not validate the origin of requests or require tokens to verify that requests originate from legitimate administrative sessions. When an administrator visits a malicious website or clicks on a compromised link while logged into the ProVide administration interface, the attacker can craft HTTP requests that automatically execute administrative functions without the user's knowledge or consent. This includes critical operations such as modifying user credentials, creating or deleting user accounts, enabling or disabling server services, configuring rogue update proxies, and even shutting down the entire server. The flaw exists in the application's state management and session validation processes, creating a direct pathway for privilege escalation and system compromise.
The operational impact of this vulnerability is severe and multifaceted across enterprise environments that utilize ProVide FTP servers. Attackers can leverage this flaw to gain persistent access to network resources, potentially leading to complete system compromise and data exfiltration. The ability to modify user accounts and credentials allows for long-term unauthorized access to the FTP server and potentially connected systems. Service manipulation capabilities can disrupt operations or create backdoors through rogue proxy configurations. The shutdown functionality provides attackers with a means to perform denial-of-service attacks against critical file transfer operations. This vulnerability directly aligns with CWE-352, which categorizes cross-site request forgery as a weakness in web application security. The attack vector maps to ATT&CK technique T1078.004 for valid accounts and T1499.004 for network disruption, representing both lateral movement and service disruption capabilities for threat actors.
Mitigation strategies for CVE-2020-11706 require immediate implementation of anti-CSRF protections within the ProVide administrative interface. Organizations should deploy CSRF tokens for all administrative operations, implement proper origin validation checks, and ensure that administrative sessions require re-authentication for sensitive actions. The software vendor should be consulted for patches that address the underlying session management flaws. Network segmentation and access controls should be implemented to limit administrative interface exposure to trusted networks only. Regular security audits of web-based administrative interfaces should be conducted to identify similar vulnerabilities in other enterprise applications. Additionally, administrators should be trained to recognize potential CSRF attack vectors and implement monitoring for unusual administrative activities that might indicate unauthorized access attempts. The vulnerability demonstrates the critical importance of implementing comprehensive web application security controls, particularly around administrative functions, as highlighted in OWASP Top 10 security requirements and NIST SP 800-53 security controls.