View Attach (1) Info

Add new attachment

Only authorized users are allowed to upload new attachments.

List of attachments

Kind Attachment Name Size Version Date Modified Author Change note
jpg
 minor_update.jpg 356.6 kB 1 05-Dec-2023 05:32 Ada Csaba

This page (revision-65) was last changed on 18-Jul-2025 16:52 by Ben Spink

This page was created on 05-Dec-2023 05:32 by Ben Spink

Only authorized users are allowed to rename pages.

Only authorized users are allowed to delete pages.

Difference between version and

At line 1 changed one line
!!REGARDING THE RECENT VULNERABILITY ANNOUNCEMENT AUGUST 10, 2023!
__April 19th, 2024 - CVE-2024-4040\\
CrushFTP v11 versions below 11.1 have a vulnerability where users can escape their VFS and download system files. This has been patched in v11.1.0. Customers using a [DMZ] in front of their main CrushFTP instance are partially protected with its protocol translation system it utilizes. A DMZ however does not fully protect you and you must update immediately. (CREDIT:Simon Garrelou, of Airbus CERT)__\\
At line 3 changed one line
If your CrushFTP version is less then 10.5.1, you are vulnerable. No exception. Look at your version number on the dashboard, and it must be 10.5.1 or higher to be safe. For reference, v6, v7, v8,v9...those numbers are less than v10.5.1. Yes, they are vulnerable! Anything below 10.5.1 is vulenrable.\\
!!FAQ:
•If I'm on v10.7.1...do I need to upgrade to v11? No, just update v10 to v10.7.1.\\
•If I'm on v10.6.1, or v10.3, or v10.5.5, am I vulnerable? Yes! Update immediately to 10.7.1.\\
•Can you tell me how I can check if I have been exploited? Not really..the nature of this was common words that could be in your log already. So there is no silver bullet search term to check for. Looking for "<INCLUDE" is an indicator.\\
•If I have a DMZ am I safe? NO! As of April 22, we have changed our opinion on this. A DMZ does not fully protect you.\\
•If I only have my SFTP port exposed to the internet but not any web ports...am I safe? Yes, this exploit specifically works with the WebInterface port.\\
At line 5 changed one line
!!Updating CrushFTP v10
\\
!!Updating CrushFTP v11
At line 13 changed one line
\\
[{Image src='minor_update.jpg' width='1080' height='..' align='left' style='..' class='..' }]\\
\\
At line 15 changed 2 lines
1.) Download CrushFTP10.zip from our download page. (https://www.crushftp.com/early10/CrushFTP10.zip)\\
2.) Give it the specific name `CrushFTP10_new.zip` and place this in the CrushFTP main folder. (Same location where you have your prefs.XML file)\\
1.) Download CrushFTP11.zip from our download page. ([https://www.crushftp.com/early11/CrushFTP11.zip|https://www.crushftp.com/early11/CrushFTP11.zip])\\
2.) Give it the specific name `CrushFTP11_new.zip` and place this in the CrushFTP main folder. (Same location where you have your prefs.XML file)\\
At line 26 changed one line
!Changelog: [https://www.crushftp.com/version10_build.html]\\
!Changelog: [https://www.crushftp.com/version11_build.html]\\
At line 28 changed one line
!!Updating an old CrushFTP v9
!!Updating an old CrushFTP v10,v9 and prior
At line 30 changed one line
You need a v10+ license code first! If you are an enterprise customer, contact us for your code. Its free if your maintenance is current.
You need a v11 license code first! If you are an enterprise customer, contact us for your code. Its free if your maintenance is current.
\\
All prior versions of CrushFTP were also affected by this most recent vulnerability.\\
CrushFTP v10 info: [https://www.crushftp.com/crush10wiki/Wiki.jsp?page=Update]\\
Version Date Modified Size Author Changes ... Change note
65 18-Jul-2025 16:52 6.065 kB Ben Spink to previous
64 18-Jul-2025 16:50 5.927 kB Ben Spink to previous | to last
63 04-Apr-2025 13:45 6.005 kB Ben Spink to previous | to last
62 02-Apr-2025 03:23 5.805 kB Ben Spink to previous | to last
61 01-Apr-2025 14:13 5.556 kB Ben Spink to previous | to last
« This page (revision-65) was last changed on 18-Jul-2025 16:52 by Ben Spink
G’day (anonymous guest)
CrushFTP11 | What's New

Referenced by
LeftMenu

JSPWiki