LiquidFiles before 4.1.2 supports FTP SITE CHMOD for mode 6777 (setuid and setgid), which allows FTPDrop users to execute arbitrary code as root by leveraging the Actionscript feature and the sudoers configuration.
LiquidFiles supports the FTP SITE CHMOD command, which allows changing file permissions on the FTP server. An attacker who is an FTPDrop user can set the setuid and setgid bits (mode 6777) on a selected file and then use the Actionscript function and sudoers configuration to run this file with root privileges. The combination of an available FTP channel, permissive sudo configuration, and lack of restrictions on setting setuid/setgid bits creates a complete privilege escalation path to execute arbitrary code.
An authenticated FTPDrop user can execute arbitrary code as root, which means complete takeover of the server — including data theft, backdoor installation, and system modification or destruction.
LiquidFiles should be updated to version 4.1.2 or later, in which the vulnerability has been removed. Details are available in the official release notes from the vendor at https://docs.liquidfiles.com/release_notes/version_4-1-x.html
LiquidFiles in versions prior to 4.1.2
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:HLiquidfiles
APPLiquidfiles< 4.1.2
Related vulnerabilities
An XSS issue was found in the Shares feature of LiquidFiles before 3.3.19. The issue arises from the insecure ...
LiquidFiles filetransfer server is vulnerable to a user enumeration issue in its password reset functionality....
LiquidFiles before 3.6.3 allows remote attackers to elevate their privileges from Admin (or User Admin) to Sys...
HTML and SMTP injections on the registration page of LiquidFiles versions 3.7.13 and below, allow an attacker ...
LiquidFiles 3.4.15 has stored XSS through the "send email" functionality when sending a file via email to an a...