Domains for password reset links and public share links must be included in the "allow list."
In versions 11.0 and 10.0.17 of Cerberus FTP Server, we fixed a security issue in which password reset is vulnerable to HTTP host header attack, which allowed malicious password reset emails. Administrators must now configure an “allow list” of acceptable domains, host names, or IP addresses that can be accepted from the host header. Any domains not on the "allow list" will not be allowed to reset passwords or create public shares.
To add a domain to the "allow list":
- Open the Server Manager.
- Select the Protocols page.
- Select the HTTP and HTTPS tab.
- Add a domain, host name, or IP address to the comma-separated list for Client Domain Allow List.
- Press the Save button on the Server Manager to save your settings.