BIS-SFT-CV-0005

Notice: 

A security flaw has been found in Biscom’s Secure File Transfer product that affects versions 5.1.1026 and earlier. A fix is available in version 5.1.1028. 

It is recommended that all affected versions of SFT be upgraded immediately. 

Issue summary 

SFT is vulnerable to cross-site scripting in the filename field. An authenticated user can populate this field with a filename that contains a script that are embedded in an image source tag. The resulting script will evaluated by any other authenticated user who views the attacker-supplied file name. 

Only a user on the system with the ability to send or upload files exploit this vulnerability.  

Technical Details 

SFT previously checked filenames for cross-site scripting (XSS). With this vulnerability, an attacker could embed XSS code within an image source tag and submit the image tag as a filename. An authenticated user who has been assigned sender rights, given the ability to secure reply or a collaborator of a workspace, can exploit this vulnerability.  

Normally only an authenticated user who has rights to upload files to the system can only exploit this vulnerability. An anonymous user cannot exploit it unless at least one of two following options are enabled: 

  1. Self-registration for anonymous users is enabled and sender rights are configured to be assigned to self-registered users. Self-registration is not enabled by default. 
  1. Uploading files by anonymous users is enabled via the limited sender option. This option is disabled by default.  

This vulnerability has no known cases of being exploited outside of the tests conducted by the security researcher that discovered it. 

Fix Details 

Starting with version 5.1.1028 both client side and server side checks have been added to SFT to change the specific character sequences that can be used to exploit this issue. If an attacker enters a string to attempt to exploit this issue that string will be altered to a string that cannot be used for an XSS attack. Additionally a change has been added to not execute any scripts that are embedded in existing filenames.