Advisory ID: SYSS-2015-041
Product: Secure MFT
Vendor: OpenText
Affected Version(s): 2013 R1, 2014 R1, 2014 R2
Tested Version(s): 2014 R2 SP4
Vulnerability Type: Cross-Site Scripting (CWE-79)
Risk Level: Medium
Solution Status: Fixed
Vendor Notification: 2015-08-05
Solution Date: 2015-08-14
Public Disclosure: 2015-08-14
CVE Reference: Not assigned
Author of Advisory: Alexander Straßheim, SySS GmbH
                    Dr. Adrian Vollmer, SySS GmbH

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Overview:

Secure MFT aims to replace FTP or file transfer via e-mail by providing a
secure and easy-to-use alternative. Users can send each other files of
practically any size either by using a Microsoft Windows client, a Microsoft
Outlook plugin or a web application.

The software manufacturer describes the product as follow (see [1]):

"OpenText Secure MFT is an enterprise-grade managed file transfer solution
that delivers uncompromising security to safely exchange large files."

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Vulnerability Details:

The SySS GmbH found a reflected cross-site scripting vulnerability in
the web application component of OpenText Secure MFT solution which can
be exploited from an attacker's perspectives.

The input field for searching stored files is not correctly sanitized and
therefore can be abused to inject arbitrary JavaScript statements.

This reflected cross-site scripting vulnerability can be exploited by an
authenticated attacker by manipulating a token and sending a specially 
crafted JavaScript code (see PoC section).

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Proof of Concept (PoC):

The following URL using the JavaScript code 
    
    "><script>alert(1)</<script> 

as the value for the URL parameter "querytext" demonstrate the reflected
cross-site scripting vulnerability by showing a JavaScript alert box.

    https://[Secure MFT HOST]/userdashboard.jsp?querytext="><script>alert(1)</script>&button=Search&panel=search

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Solution:

Update Secure MFT to one of the following versions or newer:

    * Secure MFT 2013 R3 P6
    * Secure MFT 2014 R2 P2
    * Secure MFT 2015 R1
    * Secure MFT 2015 R1 FP1

Software updates are available at [4]. For further information, see [5].

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclosure Timeline:

2015-06-29: Vulnerability discovered
2015-08-05: Vulnerability reported to vendor
2015-08-14: Vendor publishes security alert
2015-08-14: Public release of security advisory according to the SySS
            Responsible Disclosure Policy

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

References:

[1] Web site of Secure MFT
    https://www.opentext.com/what-we-do/products/information-exchange/secure-messaging/opentext-secure-mft
[2] SySS Security Advisory SYSS-2015-041
    https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2015-041.txt
[3] SySS Responsible Disclosure Policy
    https://www.syss.de/en/news/responsible-disclosure-policy/
[4] https://knowledge.opentext.com/knowledge/cs.dll/Open/27077429 (Knowledge Center log on required)
[5] https://knowledge.opentext.com/knowledge/llisapi.dll?func=ll&objId=60914364&objAction=browse&viewType=1

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Credits:

Security vulnerability found by Alexander Straßheim and Dr. Adrian Vollmer of the SySS GmbH.

E-Mail: Alexander.Strassheim (at) syss.de
Public Key: https://www.syss.de/fileadmin/dokumente/Materialien/PGPKeys/Alexander_Strassheim.asc
Key Fingerprint: AA60 5215 FB5A E5AE 3A1E 775F 925F 266E 6E2D 6AD8

E-Mail: Adrian.Vollmer (at) syss.de
Public Key: https://www.syss.de/fileadmin/dokumente/Materialien/PGPKeys/Adrian_Vollmer.asc
Key Fingerprint: 70CF E88C AEE7 DB0F 5DC8  3403 0E02 7C7E 037C 9FE7


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclaimer:

The information provided in this security advisory is provided "as is" 
and without warranty of any kind. Details of this security advisory may
be updated in order to provide as accurate information as possible. The
latest version of  this security advisory is available on the SySS Web
site.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Copyright:

Creative Commons - Attribution (by) - Version 3.0
URL: http://creativecommons.org/licenses/by/3.0/deed.en