The one where we just steal the vulnerabilities CrushFTP CVE...

[carlospolop]

🤖 Automated Content Update

This PR was automatically generated by the HackTricks News Bot based on a technical blog post.

📝 Source Information

• Blog URL: https://labs.watchtowr.com/the-one-where-we-just-steal-the-vulnerabilities-crushftp-cve-2025-54309/
• Blog Title: The one where we just steal the vulnerabilities: CrushFTP CVE-2025-54309
• Suggested Section: Pentesting Web -> Race Conditions & Logic Flaws (Authentication Bypass via Session Poisoning)

🎯 Content Summary

CrushFTP Authentication Bypass (CVE‑2025‑54309) — Technical Summary

Vulnerable when the DMZ proxy feature is not used.

Affected product and versions

• Product: CrushFTP (managed file transfer server; HTTP/S admin interface).
• Affected: v10 before 10.8.5 and v11 before 11.3.4_23.
• Tracking: CVE‑2025‑54309; adde...

  🔧 Technical Details

  Session identity poisoning via AS2 header: If an app path sets the authenticated user from an AS2 header, send a request with AS2-TO: \<targetUser> so the server mutates the current session’s username without credentials. Reuse the same session cookies (CrushAuth/currentAuth) across requests.

  
  

  Race the privileged operation: Immediately issue a second request (no AS2 header) that performs a privileged admin RPC (e.g., user cr...

  🤖 Agent Actions

  I analyzed the blog and repository, found the right spot, and updated HackTricks with the new technique.

  What I added:

  • Location: src/pentesting-web/race-condition.md
  • Change: Added a new case study section “Authentication Bypass via Session Poisoning (AS2 header)” under Race Conditions, focused on the logic/race flaw pattern seen in CrushFTP (CVE-2025-54309).
  • Content highlights:
    • Generalized technique: session identity poisoning via a trusted header (AS2-TO) that mutates the current session, followed by a near-simultaneous privileged admin RPC using the same cookies.
    • Attack workflow: share cookies; send poisoning request with AS2-TO and a content-type that routes to the AS2 path; concurrently send privileged admin request; scale with high concurrency.
    • Raw HTTP examples for...

  ---

  This PR was automatically created by the HackTricks Feed Bot. Please review the changes carefully before merging.

  🗑️ File Cleanup

  • searchindex.js removed: This auto-generated file has been removed to prevent conflicts

  The searchindex.js file is automatically generated and should not be included in manual commits.

[carlospolop]

🔗 Additional Context

Original Blog Post: https://labs.watchtowr.com/the-one-where-we-just-steal-the-vulnerabilities-crushftp-cve-2025-54309/

Content Categories: Based on the analysis, this content was categorized under "Pentesting Web -> Race Conditions & Logic Flaws (Authentication Bypass via Session Poisoning)".

Repository Maintenance:

• MD Files Formatting: 875 files processed

Review Notes:

• This content was automatically processed and may require human review for accuracy
• Check that the placement within the repository structure is appropriate
• Verify that all technical details are correct and up-to-date
• All .md files have been checked for proper formatting (headers, includes, etc.)

Bot Version: HackTricks News Bot v1.0