CrushFTP Server
| CrushFTP Server | |
|---|---|
| Developer(s) | CrushFTP, LLC | 
| Stable release | 10.2.0[1]   / 5 April 2022 | 
| Operating system | OS X, Linux, Unix, Windows | 
| Type | Secure Web file up/download, FTP server, HTTP server, SFTP Server, WebDAV Server | 
| License | Proprietary software | 
| Website | www.crushftp.com | 
CrushFTP is a proprietary multi-protocol, multi-platform file transfer server originally developed in 1999. CrushFTP is shareware with a tiered pricing model. It is targeted at home users on up to enterprise users.
Features
CrushFTP supports the following protocols: FTP, FTPS, SFTP, HTTP, HTTPS, WebDAV and WebDAV SSL. Additionally, although not a protocol, it has both AJAX/HTML5 and Java applet web interfaces for end users to manage their files from a web browser. CrushFTP uses a GUI for administration, but also installs as a daemon on Mac OS X, Linux, Unix, and as a service in Windows. It supports multihoming, multiple websites with distinct branding, hot configuration changes, Attachment redirection, and GUI-based management of users and groups from a browser. Plugins are included for authentication against SQL databases, LDAP, Active Directory, and other custom methods. All settings are stored in XML files that can be edited directly, or with the web UI. If edited directly, CrushFTP notices the modification timestamp change and load the settings immediately without needing a server restart.
History of CrushFTP
CrushFTP was first published publicly around 1998.[2] Initial versions were FTP only. There were no connection restrictions in version 1.x. CrushFTP 2.x brought about virtual directories in a sense, while CrushFTP 3.x [3] brought about a full virtual file system. It supported the ability to merge and mangle several file systems together regardless if they were from local folders, or another FTP site. It could even act as a proxy for other FTP servers. However the complications from all the potential issues that could go on from this was confusing. CrushFTP 3 introduced tiered pricing models.
CrushFTP 4 focused primarily on a cleaner interface and less confusing virtual file system. While it still seems to have some support for merging FTP sites with a local file system,[4] the support seems limited. Updates in version 4 included a full HTTP server as well as the other supported protocols. Later updates began recognizing connection differences between web browsers and FTP/SFTP clients, counting four web browser connections as only one user against the licensed limit.
[5] CrushFTP 5 continued the evolution of the WebInterface with various iterations. It used a [6] flash interface briefly before replacing it with a HTML/Ajax interface. CrushFTPv5 was the last version to still use a thick client Java Swing UI.[7] Version 6 moved to an all web browser UI.
[8] CrushFTP 6 released in 2012 brought about major changes as the management and monitoring interface became entirely web based. Its interface is based on jQuery and jQuery UI. Multiple administrators can work concurrently, fixing the single admin limitation of prior versions. It had image thumbnail support[9] and file replication and synching.
CrushFTP 7 was released in early 2014. According to the "what's new" page[10] it adds a dashboard for server information, delegated role-based administration, graphical job / event designer, MP4 movie streaming support using HTML5,[11] UPnP / PMP port forwarding and automatic external port validation testing, among many other features. Some features are available only to enterprise customers such as user synchronization and DMZ prefs synchronization between internal servers.
CrushFTP 8 was released in late 2016. The "what's new" page lists a new faster HTML5 browser uploading system (4x faster) with resume support, a limited filesystem server mode, and data replication as key new features. There is a revision system on files, a new reports UI, and a stand-alone client UI as part of the release as well.[12]
CrushFTP 9 was released in late 2018. The "what's new" page lists a new CrushBalance load balancer, new Citrix protocol for VFS, uses fewer threads, Let's Encrypt plugin support, automated expiration reminder emails for passwords, accounts, and shares. Additionally it lists Proxy Protocol v2 support for AWS load balancers, and an enhanced job management system.[13]
CrushFTP 10 was released in early 2021.[14]
Features
- DMZ feature to separate internal and external server interfaces.
- High availability, session replication, data replication and VIP capabilities.
- Event-based actions to trigger emails.
- Job scheduler, visual flow designer, manage and move files across protocols. Pass a list of found files from one step to the next, filtering items out, multithreading multiple steps simultaneously, and monitoring in real-time the progress of the job visually and with real-time logging.[15]
- Scriptable command line CrushClient with support for FTP(ES)/ SFTP/ HTTP(s)[16]
- CrushBalance load balancer included for a software based load balancer that can be put in front of the main CrushFTP server.
- Supports many back end protocols for file storage, including FTP(ES), SMB, SFTP, HTTP(s), WebDAV, Google Drive, Azure, Hadoop and S3[17]
- Web interface allowing on the fly zipped uploads and downloads
- Web interface supports image thumbnail generation for live image previews [18]
- Drill down into folders on the WebInterface, delete, or rename.
- API for configuring users and VFS items over HTTP(s) [19]
- Custom usage reports that can be run on demand, or scheduled.
- Live real-time dashboard UI for monitoring server health, active users, and their activity.
- Web server supports Server Side Includes, and virtual domains.
- SQL integration to store users and permissions in SQL database tables.
- LDAP / Active Directory authentication integration.
- SAML SSO authentication integration.
- RADIUS authentication integration.
- Ability to launch custom shell scripts passing in arguments.
- DDoS protection
- Detailed audit logging and log rolling. Syslog or DB logging for a secondary server with replicated log data (audit purposes)
- Custom web upload forms for collecting additional information with file uploads which can be passed to jobs and events.
- Bandwidth limiters.
- Internal statistic gathering.
- User and group inheritance on a per setting level.
- Max login time, idle time.
- Max upload, download, and minimum download speed.
- Quotas and ratios.
- Max download amount per session, day, or month.
- Auto account expirations.
- Restricted IP ranges for connections.
- Custom events including running a plugin or sending an email.
- Supports various encodings including UTF-8.
- Can do Virtual File System (VFS) linking to merge several file systems.
- Supports FTP's MODE Z for compressed transfers.
Plugins
- CrushLDAPGroup authenticates against an LDAP server, including Active Directory.
- CrushTask has a long list of tasks it can perform. AS2, Copy, Delete, Email, Execute, Find, Jump, HTTP, MakeDirectory, Move, PGP, PopImap, Preview, Rename, SQL, Unzip, Wait, WriteFile, Zip and an unknown Custom task.
- MagicDirectory allows creating users by just making a folder. Non administrator type personnel can create users easily.
Authentication options
- Built-in user database consisting of XML files describing the user and Virtual File System access.
- Active Directory / LDAP
- Web application POST and retrieval of XML configurations
- SAML
- SQL tables
- HTTP basic authentication
- HTTP form-based authentication
- MagicDirectory folder name based user authentication
Security
Encryption is supported for files "at rest" using PGP, as well as for passwords using an MD5 or SHA, SHA512, SHA3, MD4 non-reversible hash. SFTP uses SSH for encryption, and FTPS uses SSL/TLS for encryption.[20] SHA-2 hashing algorithms are supported. Hashes can be salted with random salt values.
Vulnerabilities
As August 2021, there has been six published vulnerabilities in CrushFTP.[21]
On March 21 2025, CrushFTP published a warning on their website about a bug that can result in "unauthenticated HTTP(S) port access".[22] The bug was found in versions 10.0.0 through 10.8.3, and 11.0.0 through 11.3.0. Jacob Bains, CTO of Vulncheck, sent an e-mail to CrushFTP to enquire about why a CVE was not issued 5 days after the discovery of the bugs. Bains was then threatened in a reply from CrushFTP's CEO Ben Spink, stating that the CVE that Bains had assigned "will be deleted as a duplicate. You did not discover this. The real CVE is pending. Your reputation will go down if you do not voluntarily remove your fake item".[23]
See also
References
- ^ "CrushFTP - Download". Archived from the original on 21 April 2022.
- ^ "CrushFTP - Support". www.crushftp.com. Archived from the original on 2021-05-09. Retrieved 2022-04-01.
- ^ "Mac Guild Review". Archived from the original on 2015-02-11. Retrieved 2014-12-03.
- ^ "Yahoo | Mail, Weather, Search, Politics, News, Finance, Sports & Videos". Archived from the original on 2014-03-02. Retrieved 2014-02-10.
- ^ "Getting Started with CrushFTP". 20 July 2010. Archived from the original on 2 January 2015. Retrieved 3 December 2014.
- ^ "Crush5wiki: FlashUploads". Archived from the original on 2013-08-22. Retrieved 2014-12-03.
- ^ "Crush5wiki: Main". Archived from the original on 2013-08-19. Retrieved 2014-12-03.
- ^ "CrushFTP 6 moves to new web-based interface | MacNN". Archived from the original on 2014-02-23. Retrieved 2014-02-10.
- ^ "Five cost effective and easy to setup FTP servers for your desktop". 16 November 2012. Archived from the original on 2014-12-23. Retrieved 2014-12-03.
- ^ "Crush7wiki: CrushFTP7New". Archived from the original on 2014-02-23. Retrieved 2014-02-10.
- ^ "CrushFTP 7 gets visual job scheduling, server dashboard | MacNN". Archived from the original on 2014-02-23. Retrieved 2014-02-11.
- ^ "Crush8wiki: CrushFTP8New". Archived from the original on 2020-09-18. Retrieved 2016-10-27.
- ^ "Crush9wiki: CrushFTP9New". Archived from the original on 2022-04-01. Retrieved 2018-11-02.
- ^ "CrushFTP - Download". Archived from the original on 2021-05-09. Retrieved 2021-08-11.
- ^  https://web.archive.org/web/20130914044059/http://crushftp.com/CrushFTP_White_Paper.pdf. Archived from the original (PDF) on 2013-09-14. {{cite web}}: Missing or empty|title=(help)
- ^ "Crush8wiki: CrushClient". Archived from the original on 2020-08-10. Retrieved 2017-05-19.
- ^ "Crush8wiki: VFS Protocols". Archived from the original on 2020-10-01. Retrieved 2017-05-19.
- ^ "CrushFTP 6 Enterprise FTP server review". anewdomain.net. Archived from the original on 2012-09-18.
- ^ "Crush8wiki: API". Archived from the original on 2020-09-30. Retrieved 2016-11-04.
- ^ "SHA-2 Compatibility | DigiCert.com". www.digicert.com. Archived from the original on 2021-07-25. Retrieved 2022-04-01.
- ^ "CVE - Search Results". cve.mitre.org. Archived from the original on 2018-04-28. Retrieved 2018-04-27.
- ^ ""Crush11wiki: Update"".
- ^ "It's been 5 days since CrushFTP publicly disclosed a new vulnerability". Retrieved 29 March 2025.