CVE-2023-42659
📋 TL;DR
This vulnerability allows authenticated Ad Hoc Transfer users in WS_FTP Server to upload arbitrary files to any location on the underlying operating system. This unrestricted file upload flaw affects WS_FTP Server versions prior to 8.7.6 and 8.8.4, potentially enabling attackers to upload malicious files like web shells or executables.
💻 Affected Systems
- Progress WS_FTP Server
📦 What is this software?
Ws Ftp Server by Progress
Ws Ftp Server by Progress
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise via remote code execution - attacker uploads malicious executable or web shell, gains complete control of the server, and potentially pivots to other systems.
Likely Case
Data exfiltration, file system manipulation, or installation of backdoors - authenticated attackers can upload files to sensitive locations, steal data, or maintain persistence.
If Mitigated
Limited impact with proper network segmentation and monitoring - even if exploited, damage is contained to the FTP server environment with minimal lateral movement.
🎯 Exploit Status
Exploitation requires authenticated access but is straightforward once credentials are obtained; API call manipulation is well-documented.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 8.7.6 or 8.8.4
Vendor Advisory: https://community.progress.com/s/article/WS-FTP-Server-Service-Pack-November-2023
Restart Required: Yes
Instructions:
1. Download WS_FTP Server version 8.7.6 or 8.8.4 from Progress website. 2. Backup configuration and data. 3. Run installer with administrative privileges. 4. Restart WS_FTP Server service. 5. Verify successful update.
🔧 Temporary Workarounds
Disable Ad Hoc Transfer
allTemporarily disable Ad Hoc Transfer functionality to prevent exploitation while patching.
Navigate to WS_FTP Server Admin > Settings > Ad Hoc Transfer > Disable
Restrict User Permissions
allLimit Ad Hoc Transfer user permissions to only necessary functions and implement least privilege.
Modify user roles in WS_FTP Server Admin to remove unnecessary privileges
🧯 If You Can't Patch
- Implement strict network segmentation to isolate WS_FTP Server from critical systems
- Deploy file integrity monitoring and alert on unexpected file uploads to system directories
🔍 How to Verify
Check if Vulnerable:
Check WS_FTP Server version in Admin interface: if version is below 8.7.6 or 8.8.4, system is vulnerable.Check Version:
In WS_FTP Server Admin: Help > About or check server propertiesVerify Fix Applied:
Verify version shows 8.7.6 or higher (for 8.7.x branch) or 8.8.4 or higher (for 8.8.x branch) in Admin interface.📡 Detection & Monitoring
Log Indicators:
- Unusual file upload patterns via Ad Hoc Transfer API
- File uploads to system directories outside normal FTP paths
- Multiple failed authentication attempts followed by successful Ad Hoc Transfer
Network Indicators:
- Unusual API calls to Ad Hoc Transfer endpoints
- File uploads with suspicious extensions (.jsp, .php, .exe) via FTP
SIEM Query:
source="ws_ftp.log" AND (event="file_upload" AND path CONTAINS "/../" OR path CONTAINS "system32" OR path CONTAINS "/etc/")