About SFTPGo
SFTPGo is an open source tool for the secure exchange and storage of files, providing users in authoritarian contexts with an encrypted method to safely share and save documents. It provides a high degree of flexibility to use different storage backends (e.g., S3, Google Cloud Storage, Azure Blob), locally or in the cloud. It also includes a web application and the option to use virtual folders, which can use any of the supported storage backends, among other features.
Audit Description
OTF’s Security Lab partner Include Security conducted a “gray box” audit (a type of testing in which the tester has partial knowledge of the system’s internal workings) of SFTPGo in October and November 2024, with a focus on the file transfer server and two associated plugins. The audit process included source code review and dynamic testing via a test environment running the SaaS version of SFTPGo.
Scope
The audit encompassed the SFTPGo web applications and API, as well as the FTP, SFTP, and WebDAV protocols. The auditors also reviewed the Event Search and Event Store plugins, which implement logging and monitoring features on SFTPGo deployments.
SFTPGo includes a number of features that were not included in the audit scope due to time limitations, including external authentication providers, such as OIDC and LDAP, Data At Rest Encryption (DARE) and VFS, among others.
Findings
Auditors did not detect any “critical” or “high” severity vulnerabilities, but did identify two “medium” severity issues:
● SaaS Configuration Leak via RCE: A feature allowing Administrators with PermAdminManageEventRules permissions to run arbitrary system commands could be used on the SaaS version of SFTPGo to escalate Administrator privileges and gain full control over the application instance. This would give the account access to confidential system configurations and could even potentially allow remote access to the storage of other hosted SFTPGo customers (although the report notes that the latter scenario was beyond the scope of the current audit). After remediation by the SFTPGo team, the auditors confirmed that the EventManager can execute only commands from an allow list in the configuration file.
● Overly Granular Roles Leading to Privilege Escalation: In the primary SFTPGo application, an Administrator account with limited permissions could change its permissions to grant itself full Administrator privileges and gain total control over the SFTPGo application. A malicious administrator could thus change system configurations, for example, or view confidential data. (In addition to the PermAdminManageEventRules permissions noted in the previous finding, this finding covered the permissions PermAdminManageSystem and PermAdminManageAdmins.) The auditors recommended a review of the application’s administrative permissions, and potential changes to the SFTPGo “roles” system and its documentation. To remediate these findings, the SFTPGo team removed the three permissions above, along with the permissions PermAdminManageIPLists and PermAdminManageRules.
In addition to the two “medium-level” risks, Include Security identified two vulnerabilities flagged as “Low,” related to low-likelihood scenarios involving cryptographic keys and Cross Site Request Forgery, respectively. One “informational” finding was noted in the audit, related to outdated Go libraries in use by the Event Search and Event Store plugins.
At the request of the SFTPGo team, the auditors also reviewed a CVE (“Common Vulnerabilities and Exposures”) report regarding a security flaw with JSON Web Tokens, which was determined to be invalid.
Remediation
In the remediation testing at the end of the review process, Include Security confirmed that the SFTPGo team addressed all five reported issues through code changes or updates to the Go libraries.