what you don't know can hurt you

OpenText Secure MFT 2014 R2 SP4 Cross Site Scripting

OpenText Secure MFT 2014 R2 SP4 Cross Site Scripting
Posted Aug 18, 2015
Authored by Dr. Adrian Vollmer, Alexander Strassheim

OpenText Secure MFT version 2014 R2 SP4 and some prior versions suffer from a cross site scripting vulnerability.

tags | exploit, xss
SHA-256 | 0ca2f8ce2ac1e8fd0292e44455cd17e0bc3afed80f5f026aa383e3aa9639351c

OpenText Secure MFT 2014 R2 SP4 Cross Site Scripting

Change Mirror Download
Advisory ID: SYSS-2015-041
Product: Secure MFT
Vendor: OpenText
Affected Version(s): 2013 R1, 2014 R1, 2014 R2
Tested Version(s): 2014 R2 SP4
Vulnerability Type: Cross-Site Scripting (CWE-79)
Risk Level: Medium
Solution Status: Fixed
Vendor Notification: 2015-08-05
Solution Date: 2015-08-14
Public Disclosure: 2015-08-14
CVE Reference: Not assigned
Author of Advisory: Alexander Straßheim, SySS GmbH
Dr. Adrian Vollmer, SySS GmbH

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Overview:

Secure MFT aims to replace FTP or file transfer via e-mail by providing a
secure and easy-to-use alternative. Users can send each other files of
practically any size either by using a Microsoft Windows client, a Microsoft
Outlook plugin or a web application.

The software manufacturer describes the product as follow (see [1]):

"OpenText Secure MFT is an enterprise-grade managed file transfer solution
that delivers uncompromising security to safely exchange large files."

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Vulnerability Details:

The SySS GmbH found a reflected cross-site scripting vulnerability in
the web application component of OpenText Secure MFT solution which can
be exploited from an attacker's perspectives.

The input field for searching stored files is not correctly sanitized and
therefore can be abused to inject arbitrary JavaScript statements.

This reflected cross-site scripting vulnerability can be exploited by an
authenticated attacker by manipulating a token and sending a specially
crafted JavaScript code (see PoC section).

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Proof of Concept (PoC):

The following URL using the JavaScript code

"><script>alert(1)</<script>

as the value for the URL parameter "querytext" demonstrate the reflected
cross-site scripting vulnerability by showing a JavaScript alert box.

https://[Secure MFT HOST]/userdashboard.jsp?querytext="><script>alert(1)</script>&button=Search&panel=search

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Solution:

Update Secure MFT to one of the following versions or newer:

* Secure MFT 2013 R3 P6
* Secure MFT 2014 R2 P2
* Secure MFT 2015 R1
* Secure MFT 2015 R1 FP1

Software updates are available at [4]. For further information, see [5].

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclosure Timeline:

2015-06-29: Vulnerability discovered
2015-08-05: Vulnerability reported to vendor
2015-08-14: Vendor publishes security alert
2015-08-14: Public release of security advisory according to the SySS
Responsible Disclosure Policy

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

References:

[1] Web site of Secure MFT
https://www.opentext.com/what-we-do/products/information-exchange/secure-messaging/opentext-secure-mft
[2] SySS Security Advisory SYSS-2015-041
https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2015-041.txt
[3] SySS Responsible Disclosure Policy
https://www.syss.de/en/news/responsible-disclosure-policy/
[4] https://knowledge.opentext.com/knowledge/cs.dll/Open/27077429 (Knowledge Center log on required)
[5] https://knowledge.opentext.com/knowledge/llisapi.dll?func=ll&objId=60914364&objAction=browse&viewType=1

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Credits:

Security vulnerability found by Alexander Straßheim and Dr. Adrian Vollmer of the SySS GmbH.

E-Mail: Alexander.Strassheim (at) syss.de
Public Key: https://www.syss.de/fileadmin/dokumente/Materialien/PGPKeys/Alexander_Strassheim.asc
Key Fingerprint: AA60 5215 FB5A E5AE 3A1E 775F 925F 266E 6E2D 6AD8

E-Mail: Adrian.Vollmer (at) syss.de
Public Key: https://www.syss.de/fileadmin/dokumente/Materialien/PGPKeys/Adrian_Vollmer.asc
Key Fingerprint: 70CF E88C AEE7 DB0F 5DC8 3403 0E02 7C7E 037C 9FE7


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclaimer:

The information provided in this security advisory is provided "as is"
and without warranty of any kind. Details of this security advisory may
be updated in order to provide as accurate information as possible. The
latest version of this security advisory is available on the SySS Web
site.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Copyright:

Creative Commons - Attribution (by) - Version 3.0
URL: http://creativecommons.org/licenses/by/3.0/deed.en
Login or Register to add favorites

File Archive:

May 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    May 1st
    0 Files
  • 2
    May 2nd
    15 Files
  • 3
    May 3rd
    19 Files
  • 4
    May 4th
    24 Files
  • 5
    May 5th
    15 Files
  • 6
    May 6th
    14 Files
  • 7
    May 7th
    0 Files
  • 8
    May 8th
    0 Files
  • 9
    May 9th
    13 Files
  • 10
    May 10th
    7 Files
  • 11
    May 11th
    99 Files
  • 12
    May 12th
    45 Files
  • 13
    May 13th
    7 Files
  • 14
    May 14th
    0 Files
  • 15
    May 15th
    0 Files
  • 16
    May 16th
    16 Files
  • 17
    May 17th
    26 Files
  • 18
    May 18th
    4 Files
  • 19
    May 19th
    17 Files
  • 20
    May 20th
    2 Files
  • 21
    May 21st
    0 Files
  • 22
    May 22nd
    0 Files
  • 23
    May 23rd
    0 Files
  • 24
    May 24th
    0 Files
  • 25
    May 25th
    0 Files
  • 26
    May 26th
    0 Files
  • 27
    May 27th
    0 Files
  • 28
    May 28th
    0 Files
  • 29
    May 29th
    0 Files
  • 30
    May 30th
    0 Files
  • 31
    May 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close