Notice
A security flaw has been found in Biscom’s Secure File Transfer product that affects versions 5.0.0000 through 5.1.1026. A fix is available in version 5.1.1028.
It is recommended that all affected versions of SFT be upgraded immediately.
Issue summary
The Display Name and Username fields are vulnerable to AngularJS Template Injection. Inserting a string formatted as a template for the AngularJS framework can be used to execute a cross-site site scripting attack.
Only an authenticated user on the system has the ability to exploit this vulnerability.
Technical Details
The AngularJS Framework supports templates that are created using specific character formatting. An attacker could embed cross site scripting (XSS) code within a template string. If a user sets their display name by embedding script within the template any screen that displays the malicious string will execute the embedded script.
There are two fields affected by this vulnerability: Username and Display Name.
An anonymous user cannot exploit it unless anonymous self-registration is enabled. SFT can be configured to allow self-registration for anonymous users, though this option is not enabled by default. Any system allowing anonymous self-registration should be upgraded immediately or have that option disabled until it can be upgraded.
This vulnerability has no known cases of being exploited outside of the tests conducted by the security researcher that discovered it.
Fix Details
Starting with version 5.1.1028 both client side and server side checks have been added to SFT to change the character sequences that can be used to exploit this issue. If an attacker enters a string to attempt to exploit this issue that string will be altered to a string that cannot be used for template injection of an XSS attack.