Blocked extensions does not allow you to block extentions ending in period or other non printable characters
We recently had pen testing conducted by a third party of our web applications and client facing sftp site (cerberus ftp). The pen testers were able to upload files with the name test.exe. and test.exe(with unprintable characters after the EXE. This simulates what a malicious person or disgruntled employeed could do to get comprimised files uploaded to cerberus ftp. An unsuspecting person could then have problems opening what they think is an EXE file that was uploaded and inadvertantly renames the file from test.exe. to test.exe and then executes the suspect file which could deliver a malicious payload. We tried to remediate by going into Blocked Extensions and blocking extensions like "EXE." or ".", but the UI doesn't let us do this. It might be nice to have an option to block known malicious file types or any extension with a period at the end or some other non-printable character. I can attach screen shots of evidence that pen testers were able to upload these suspicious files. Let me know.
-
Hello William,
Thank you very much for bringing this to our attention. I'll get this on over to our product team for their review. I do believe I have some screenshots from the ticket we were talking through previously, so I'll include those for our product team. If we need any further information, we will be sure to reach out. Thanks again for taking the time to help improve Cerberus!
0 -
I'd love if this went a step further and disallowed creating folders with any of these special characters as the last character. It can make removing the folder troublesome.
0
Please sign in to leave a comment.
Comments
2 comments