-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Advisory ID: SYSS-2015-041
Product: Secure MFT
Vendor: OpenText
Affected Version(s): 2013 R1, 2014 R1, 2014 R2
Tested Version(s): 2014 R2 SP4
Vulnerability Type: Cross-Site Scripting (CWE-79)
Risk Level: Medium
Solution Status: Fixed
Vendor Notification: 2015-08-05
Solution Date: 2015-08-14
Public Disclosure: 2015-08-14
CVE Reference: CVE-2015-6530
Author of Advisory: Alexander Straßheim, SySS GmbH
                    Dr. Adrian Vollmer, SySS GmbH

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Overview:

Secure MFT aims to replace FTP or file transfer via e-mail by providing a
secure and easy-to-use alternative. Users can send each other files of
practically any size either by using a Microsoft Windows client, a Microsoft
Outlook plugin or a web application.

The software manufacturer describes the product as follow (see [1]):

"OpenText Secure MFT is an enterprise-grade managed file transfer solution
that delivers uncompromising security to safely exchange large files."

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Vulnerability Details:

The SySS GmbH found a reflected cross-site scripting vulnerability in
the web application component of OpenText Secure MFT solution which can
be exploited from an attacker's perspectives.

The input field for searching stored files is not correctly sanitized and
therefore can be abused to inject arbitrary JavaScript statements.

This reflected cross-site scripting vulnerability can be exploited by an
authenticated attacker by manipulating a token and sending a specially 
crafted JavaScript code (see PoC section).

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Proof of Concept (PoC):

The following URL using the JavaScript code 
    
    "><script>alert(1)</<script> 

as the value for the URL parameter "querytext" demonstrate the reflected
cross-site scripting vulnerability by showing a JavaScript alert box.

    https://[Secure MFT HOST]/userdashboard.jsp?querytext="><script>alert(1)</script>&button=Search&panel=search

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Solution:

Update Secure MFT to one of the following versions or newer:

    * Secure MFT 2013 R3 P6
    * Secure MFT 2014 R2 P2
    * Secure MFT 2015 R1
    * Secure MFT 2015 R1 FP1

Software updates are available at [4]. For further information, see [5].

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclosure Timeline:

2015-06-29: Vulnerability discovered
2015-08-05: Vulnerability reported to vendor
2015-08-14: Vendor publishes security alert
2015-08-14: Public release of security advisory according to the SySS
            Responsible Disclosure Policy
2015-12-04: Included CVE in advisory

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

References:

[1] Web site of Secure MFT
    https://www.opentext.com/what-we-do/products/information-exchange/secure-messaging/opentext-secure-mft
[2] SySS Security Advisory SYSS-2015-041
    https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2015-041.txt
[3] SySS Responsible Disclosure Policy
    https://www.syss.de/en/news/responsible-disclosure-policy/
[4] https://knowledge.opentext.com/knowledge/cs.dll/Open/27077429 (Knowledge Center log on required)
[5] https://knowledge.opentext.com/knowledge/llisapi.dll?func=ll&objId=60914364&objAction=browse&viewType=1
[6] https://www.cvedetails.com/cve/CVE-2015-6530/

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Credits:

Security vulnerability found by Alexander Straßheim and Dr. Adrian Vollmer of the SySS GmbH.

E-Mail: Alexander.Strassheim (at) syss.de
Public Key: https://www.syss.de/fileadmin/dokumente/Materialien/PGPKeys/Alexander_Strassheim.asc
Key Fingerprint: AA60 5215 FB5A E5AE 3A1E 775F 925F 266E 6E2D 6AD8

E-Mail: Adrian.Vollmer (at) syss.de
Public Key: https://www.syss.de/fileadmin/dokumente/Materialien/PGPKeys/Adrian_Vollmer.asc
Key Fingerprint: 70CF E88C AEE7 DB0F 5DC8  3403 0E02 7C7E 037C 9FE7


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclaimer:

The information provided in this security advisory is provided "as is" 
and without warranty of any kind. Details of this security advisory may
be updated in order to provide as accurate information as possible. The
latest version of  this security advisory is available on the SySS Web
site.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Copyright:

Creative Commons - Attribution (by) - Version 3.0
URL: http://creativecommons.org/licenses/by/3.0/deed.en
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCgAGBQJWYZcMAAoJEA4CfH4DfJ/nxp4QAIwvZe13x6QfiYx88rHwQTet
nco6KRhHq99Lx994/yD3UG3nNvruH9ixbFKDM89RFl/WoHfeXbu/+4HoNj5n14V2
6SoYqi/Q448jSZYEbYe3di1DOSakTr6fl7srQeq0N8exVMvT06yZUwnimvkQMXwL
dcYR1lCZ7WwcrVwriOwmK0Xqmr/IE9YoBoHk+zFAj4R7MgWjtRUOzui1lvGlg2yF
LMjfBLDh7v7K3FbeUcHIoKeMkBQcn2kSr7qHwC7S3BdzZhcT5XxM2XiQatstrvSl
lPTzBqdROeyjfGzy49URpzBVMosuxooXP/M+DlK+94XFoCW06TEOyr4gg8HdOzCD
ataUiLSUgVdcas12T1+yjhCGsE6WtLT+ITScMzjPogySAXNUQlKH61T6kiCSkxve
5Vwnaa3Vfd7oF3CuWCyYXnfGWwdiI0i4S6VFSKOyKTz5vT91ul33Gdsvriw2/EZX
ZSX2ILfb6HsLxErDZ5Fdk0SkXkQpUxmOdzHtQpYGQ+LKdgQtykEkGeuz36rdnOhR
nJ8RA6tupWpZy7NvjrmOWB49X+mnVN7UYHz232CgAbbjjDZr88ZujGBrWsk6L8Ai
F0FewjghwJEkLNRt93sd16Nr9e0gYaM6mLkaS2CrO1THE3OUH0EIOJGn3yP7NTm7
WvFWhiuxK38Kk2yc5Lwf
=oZQp
-----END PGP SIGNATURE-----