A security flaw has been found in Biscom’s Secure File Transfer product that affects the following versions:
BDS/SFT 4.0.1032 through 4.3.1046
SFT 5.0.1000 through 5.0.1056
SFT 5.1.1000 through 5.1.1035
The fix versions are 4.3.1047, 5.0.1057, and 5.1.1036 respectively.
It is recommended that all affected versions of SFT be upgraded immediately.
SFT is vulnerable to an XXE (XML eXternal Entity) exploit in the import Contact function that can allow a user to display the contents of any text file on the system hosting the SFT application by inserting an XXE file reference into the imported XML.
Only users on the system who have been given sender rights have access to contacts and can import contacts. The vulnerability cannot be exploited by anonymous users, recipients of deliveries, or workspace collaborators and viewers.
This exploit involves importing contacts from an XML formatted file. If the XML import file contains an XXE Reference to the full path of a text file that exists on the system running the SFT application, the contents of the text file will be displayed in the contact details.
Binary files cannot be displayed or executed and will result in an XML parsing error.
The application now ignores any XXE references when parsing XML files.