| At line 1 changed 2 lines |
| April 19th, 2024\\ |
| CrushFTP v11 versions below 11.1 have a vulnerability where users can escape their VFS and download system files. This has been patched in v11.1.0. Customers using a [DMZ] in front of their main CrushFTP instance are protected with its protocol translation system it utilizes. (CREDIT:Simon Garrelou, of Airbus CERT)\\ |
| !!!__Update Bug on Windows__ |
| Some versions of CrushFTP had a problem applying an update automatically. They would fail to rename ".jar" files on Windows operating systems. They would instead leave behind ".jar_tmp" files needing the "_tmp" manually removed from them. This has been fixed for a while, but if you are still on one of these older builds, you will be affected the next time you attempt the update. So you need to fix the jar filenames one time manually. Example: CrushFTP.jar_tmp -> CrushFTP.jar. Same for all other jars in plugins, plugins/lib folder, and the WebInterface folder has CrushTunnel.jar. Do all 3 locations entirely. |
| At line 4 removed 3 lines |
| __IMPORTANT: due to the security updates since CrushFTP version 10.5.2+ any JDBC driver jar file needs to be placed into the CrushFTP10/plugins/lib/ directory, or it won't load. In case of a server previously configured using an external SQL user DB, this new feature prevents access on next launch, will need to move the jar file, then edit prefs.XML, update the <db_driver> key value like\\ |
| {{{<db_driver>./mssql-jdbc-12.4.0.jre11.jar</db_driver>}}} |
|
| At line 5 added 11 lines |
| !!Vulnerability Info |
| __November 11th, 2024 - (CVE - coming soon...pending)\\ |
| V10 versions below 10.8.3 and V11 versions below 11.2.3 are vulnerable to a password reset email exploit. If an end user clicks the link, their account is compromised. |
| (CREDIT: Stratascale Cyber Research Unit)__\\ |
| Once you update you must configure your allowed email reset URL domains.\\ |
| v10:Preferences, WebInterface, MiniURL: Set an allowed list of domains, comma separated.\\ |
| v11:Preferneces, WebInterface, Login Page: Set a domain pattern that is not just '*' as a '*' is no longer allowed.\\ |
| ---- |
| April 19th, 2024 - CVE-2024-4040\\ |
| CrushFTP v11 versions below 11.1 have a vulnerability where users can escape their VFS and download system files. This has been patched in v11.1.0. Customers using a [DMZ] in front of their main CrushFTP instance are partially protected with its protocol translation system it utilizes. A DMZ however does not fully protect you and you must update immediately. (CREDIT:Simon Garrelou, of Airbus CERT)\\ |
| ---- |
| At line 9 changed one line |
| !!Updating CrushFTP v10 |
| !!FAQ: |
| •If I'm on v10.8.3+...do I need to upgrade to v11? No, 10.8.3+ are safe.\\ |
| •If I'm on v10.6.1, or v10.3, or v10.5.5, am I vulnerable? Yes! Update immediately to 10.8.3+ or v11.2.3+.\\ |
| \\ |
| \\ |
| !!Updating CrushFTP v11 |
| At line 21 changed 2 lines |
| 1.) Download CrushFTP10.zip from our download page. ([https://www.crushftp.com/early10/CrushFTP10.zip|https://www.crushftp.com/early10/CrushFTP10.zip])\\ |
| 2.) Give it the specific name `CrushFTP10_new.zip` and place this in the CrushFTP main folder. (Same location where you have your prefs.XML file)\\ |
| 1.) Download CrushFTP11.zip from our download page. ([https://www.crushftp.com/early11/CrushFTP11.zip|https://www.crushftp.com/early11/CrushFTP11.zip])\\ |
| 2.) Give it the specific name `CrushFTP11_new.zip` and place this in the CrushFTP main folder. (Same location where you have your CrushFTP.jar file)\\ |
| At line 32 changed one line |
| !Changelog: [https://www.crushftp.com/version10_build.html]\\ |
| !Changelog: [https://www.crushftp.com/version11_build.html]\\ |
| At line 34 changed one line |
| !!Updating an old CrushFTP v9 |
| !!Updating an old CrushFTP v10,v9 and prior |
| At line 36 changed one line |
| You need a v10+ license code first! If you are an enterprise customer, contact us for your code. Its free if your maintenance is current. |
| You need a v11 license code first! If you are an enterprise customer, contact us for your code. Its free if your maintenance is current. |
