Security Bulletin for Biscom Secure File Transfer (SFT) – BIS-SFT-CV-008
A security flaw has been found in Biscom Secure File Transfer’s Limited Sender feature that can allow a malicious user to access any file(s) on the system through an Insecure Direct Object Reference (IDOR) vulnerability.
In Biscom’s default configuration this vulnerability can only be exploited by licensed users of the system with sender rights.
If the Limited Sender option is enabled (it is disabled by default) and self-registration is enabled for Limited Sender users it is possible that an outside user could find and exploit this vulnerability without being explicitly added or invited to the system.
The following versions are affected:
- SFT 5.0.1050 through 5.1.1067
- 6.0.1000 through 6.0.1003
The fixed versions are:
- SFT 5.1.1068 and later
- SFT 6.0.1004 and later
It is recommended that all affected versions of SFT be upgraded immediately.
Prior to upgrading, if the limited sender role is enabled, it is recommended to disable it until the fix version can be applied.
This document will be updated to include the specifics of the exploit 90 days after publication to ensure all customers of SFT have been notified and had a chance to upgrade.
The exploit involved a code error on one specific page that allowed uploading files. That error has been fixed. Additional software checks were added to the affected page to prevent IDOR and similar exploits. All pages that allow uploading files were thoroughly checked for exploits as well.