CVE-2022-22836 Overview
CVE-2022-22836 is a directory traversal vulnerability affecting CoreFTP Server versions prior to build 727. This security flaw allows authenticated attackers to create files in arbitrary directories outside the intended upload location by using ../ sequences in HTTP PUT requests. The vulnerability stems from improper input validation of file paths in the HTTP request handler.
Critical Impact
Authenticated attackers can write files to arbitrary locations on the server filesystem, potentially leading to web shell deployment, configuration tampering, or system compromise.
Affected Products
- CoreFTP Server versions before build 727
- CoreFTP Server 2.0 builds 639 through 725
- All CoreFTP Server installations with HTTP/HTTPS file transfer enabled
Discovery Timeline
- 2022-01-10 - CVE-2022-22836 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2022-22836
Vulnerability Analysis
This directory traversal vulnerability (CWE-22) affects the HTTP PUT request handler in CoreFTP Server. When processing file upload requests, the server fails to properly sanitize the destination path parameter, allowing attackers to include path traversal sequences such as ../ in the request URI. This enables authenticated users to escape the designated upload directory and write files to arbitrary locations on the server's filesystem.
The vulnerability requires authentication, meaning an attacker must have valid credentials to exploit this flaw. However, once authenticated, even low-privilege users can leverage this vulnerability to write files outside their authorized directories. The attack is conducted over the network and requires no user interaction, making it relatively straightforward to exploit.
Root Cause
The root cause of CVE-2022-22836 lies in insufficient input validation within the HTTP PUT request handler. The CoreFTP Server does not adequately sanitize or canonicalize file paths before processing upload requests. Specifically, the server fails to:
- Strip or reject path traversal sequences (../ or ..\)
- Validate that the final destination path remains within the configured upload directory
- Implement proper path canonicalization before file creation
This allows malicious path components to be processed literally, enabling directory traversal attacks.
Attack Vector
The attack is executed via the network using HTTP PUT requests to the CoreFTP Server's web interface. An authenticated attacker crafts a malicious HTTP PUT request containing directory traversal sequences in the target path. The server processes the request without proper path validation, resulting in file creation at an attacker-controlled location.
Potential exploitation scenarios include:
- Writing malicious executable files to system directories
- Deploying web shells in web-accessible directories
- Overwriting configuration files to modify server behavior
- Creating scheduled task files for persistence
The vulnerability allows for arbitrary file creation with high integrity impact, though it does not directly provide read access to existing files or cause denial of service.
Detection Methods for CVE-2022-22836
Indicators of Compromise
- HTTP PUT requests containing ../ or encoded path traversal sequences in the URL path
- Unexpected file creation events in directories outside the designated FTP upload paths
- Log entries showing file writes to system directories from the CoreFTP Server process
- Presence of suspicious files (web shells, scripts) in web root or system directories
Detection Strategies
- Monitor CoreFTP Server logs for HTTP PUT requests containing path traversal patterns such as ../, ..%2f, or %2e%2e/
- Implement network-level detection rules to identify HTTP requests with directory traversal sequences targeting CoreFTP Server ports
- Deploy file integrity monitoring on critical directories to detect unauthorized file creation
- Review web server access logs for requests to newly created files in unexpected locations
Monitoring Recommendations
- Enable verbose logging on CoreFTP Server to capture full request URIs for forensic analysis
- Configure SIEM rules to alert on directory traversal patterns in HTTP traffic destined for CoreFTP Server
- Implement real-time file system monitoring on the server hosting CoreFTP to detect anomalous file creation events
- Regularly audit user accounts and permissions to identify potentially compromised credentials
How to Mitigate CVE-2022-22836
Immediate Actions Required
- Upgrade CoreFTP Server to build 727 or later immediately
- Review server logs for evidence of exploitation attempts using path traversal patterns
- Audit the filesystem for unauthorized files created outside designated upload directories
- Consider temporarily disabling HTTP/HTTPS file transfer functionality until patching is complete
Patch Information
CoreFTP has released build 727 which addresses this directory traversal vulnerability. Organizations should upgrade to build 727 or the latest available version as soon as possible. Detailed patch information and download links are available through the Core FTP Forum Discussion. Additional technical analysis can be found at Your Security Bores Analysis.
Workarounds
- Disable HTTP/HTTPS file transfer functionality if not required, limiting the server to FTP/SFTP protocols only
- Implement network segmentation to restrict access to CoreFTP Server from untrusted networks
- Deploy a web application firewall (WAF) with rules to block requests containing path traversal sequences
- Review and restrict user account permissions to minimize the potential impact of exploitation
# Verification command to check CoreFTP Server version
# Access the CoreFTP Server admin interface and verify build number is 727 or higher
# Alternatively, check the version information in the server executable properties
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
