A security flaw has been found in Biscom’s Secure File Transfer product that affects versions 5.0.1027 through 5.1.1013. A fix version 5.1.1014 is available.
It is recommended that all affected versions of SFT be upgraded immediately.
It has been found that it is possible to take a file download link from a no sign in delivery and by manually manipulating the link download files other than the intended file.
Only files that the sender or recipient in the original link already have access to can be downloaded.
Systems that do not allow sending no-sign in links are not vulnerable but should still be upgraded.
SFT has two kinds of deliveries, ones that require a recipient to sign in to view the delivery and ones that do not require a sign in. It is possible to disable no sign in deliveries on a system wide basis, though the default configuration is to allow them.
The expected behavior is as follows:
- A URL to a file for a delivery that requires sign in will prompt for a login if pasted into a browser
- A URL to a file for a delivery that does not require sign in downloads the file without prompting
The exploit on affected versions is:
- If you manually change the URL for downloading a file from a no-sign in delivery to have the documentID of a different file for the same user the altered link will download the file referenced in the altered link.
- If you change the documentID to a valid documentID for a different user you cannot download that file.
- Manually changing the URL of the no sign in delivery (case 2) to a documentID from a sign in delivery (case 1) it is possible to download the file without being prompted to sign in.
After updating to the fixed version a link can no longer be manually modified to access a file that is not part of the specific delivery the link is intended for.