CVE-2019-19664 – This CVE describes a Cross-Site Request Forgery... (How to Fix)

Q: What is the severity of CVE-2019-19664?

CVE-2019-19664 has a CVSS score of 7.1 (HIGH). This CVE describes a Cross-Site Request Forgery (CSRF) vulnerability in Rumpus FTP Web File Manager's web settings interface. Attackers can trick authenticated administrators into unknowingly submitting malicious requests that modify server web settings. This affects Rumpus FTP administrators who access the web interface while authenticated.

📋 TL;DR

This CVE describes a Cross-Site Request Forgery (CSRF) vulnerability in Rumpus FTP Web File Manager's web settings interface. Attackers can trick authenticated administrators into unknowingly submitting malicious requests that modify server web settings. This affects Rumpus FTP administrators who access the web interface while authenticated.

💻 Affected Systems

Products:

Rumpus FTP

Versions: 8.2.9.1 and likely earlier versions

Operating Systems: All platforms running Rumpus FTP

Default Config Vulnerable: ⚠️ Yes

Notes: Requires administrator authentication to the web interface for exploitation, but the vulnerability exists in default configuration.

📦 What is this software?

Rumpus Ftp by Maxum

View all CVEs affecting Rumpus Ftp →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of web server settings, potentially enabling further attacks like redirecting users to malicious sites, disabling security features, or modifying authentication mechanisms.

🟠

Likely Case

Unauthorized changes to web server configuration, potentially disrupting service availability or enabling phishing attacks through modified web content.

🟢

If Mitigated

No impact if CSRF protections are implemented or if administrators don't access malicious sites while authenticated.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires the victim administrator to be authenticated and visit a malicious webpage. CSRF attacks are well-understood and easy to implement.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 8.2.9.2 or later

Vendor Advisory: https://www.maxum.com/Rumpus/

Restart Required: Yes

Instructions:

1. Download latest version from Maxum website. 2. Backup current configuration. 3. Install update. 4. Restart Rumpus service. 5. Verify web settings functionality.

🔧 Temporary Workarounds

Implement CSRF Tokens

all

Add anti-CSRF tokens to web settings forms

Requires custom web application modifications

Network Segmentation

all

Restrict access to Rumpus web interface to trusted networks only

firewall rules to limit access to specific IPs

🧯 If You Can't Patch

Implement strict SameSite cookie policies for Rumpus web sessions
Use separate browser profiles for administrative tasks and general web browsing

🔍 How to Verify

Check if Vulnerable:

Check if Rumpus version is 8.2.9.1 or earlier and examine WebSettingsGeneralSet.html for CSRF protections

Check Version:

Check Rumpus admin interface or installation directory for version information

Verify Fix Applied:

Verify version is 8.2.9.2 or later and test CSRF protection by attempting to submit form without proper tokens

📡 Detection & Monitoring

Log Indicators:

Multiple web settings changes from same session in short time
Settings modifications without corresponding admin login events

Network Indicators:

HTTP POST requests to RAPR/WebSettingsGeneralSet.html without Referer headers or with external origins

SIEM Query:

source="rumpus.log" AND (event="settings_change" OR url="/RAPR/WebSettingsGeneralSet.html") | stats count by src_ip, user

📊 Metadata

CVE ID: CVE-2019-19664

CVSS v3 Score: 7.1 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:H

CWE: CWE-352

Published: February 10, 2020

Last Updated: November 21, 2024

🔗 References

https://github.com/harshit-shukla/CVE Third Party Advisory
https://github.com/harshit-shukla/CVE/blob/master/CVE-2019-19664.md Third Party Advisory
https://github.com/harshit-shukla/CVE Third Party Advisory
https://github.com/harshit-shukla/CVE/blob/master/CVE-2019-19664.md Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2019-19664, you might also want to check these: