-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Advisory ID: SYSS-2015-043 Product: Secure File Sharing Vendor: Serv-U Affected Version(s): Serv-U 15.1.2.189 and below Tested Version(s): Serv-U 15.1.2.189 Vulnerability Type: Cross-Site Scripting (CWE-79) Risk Level: High Solution Status: Fixed Vendor Notification: 2015-07-23 Solution Date: 2015-11-04 Public Disclosure: 2015-11-09 CVE Reference: Not assigned Author of Advisory: Franz G. Jahn, SySS GmbH, https://www.syss.de/advisories/ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Overview: A Persistent Cross-Site Scripting vulnerability could be identified in the Serv-U Secure File Sharing application. The Serv-U Secure File Sharing is described as follows [1]: "Secure file sharing lets users send files to and request files from anyone. When deployed in your data center, Serv-U Managed File Transfer Server provides this popular “ad hoc” file transfer service to your end-users on your existing infrastructure, and under the control of your existing security policy." ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Vulnerability Details: Using a crafted "Name" inside the contact information, it is possible to send an upload request to another user which will lead him to a page which contains the JavaScript embedded in the "Name" attribute. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Proof of Concept (PoC): Use the "Request Files From Guest User" function with the name: XSS ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: According to information by Serv-U, a HotFix for the described security issue is available at [2]. Please contact the manufacturer for further information or support. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclosure Timeline: 2015-07-06: Vulnerability discovered 2015-07-23: Vulnerability reported to vendor 2015-07-30: Reported vulnerabilities again as the vendor did not respond to the first e-mail 2015-08-31: Reported vulnerabilities again as the vendor did not respond to the first e-mails 2015-09-16: Rescheduling of the publication date in agreement with the manufacturer. 2015-11-09: Public release of security advisory on agreed publication date ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ References: [1] Serv-U, Secure File Sharing http://www.serv-u.com/secure-file-sharing [2] Serv-U, HotFix for Secure File Sharing http://downloads.solarwinds.com/solarwinds/Release/HotFix/SU-v15.1.2-HotFix2.zip [3] SySS GmbH, SySS Responsible Disclosure Policy https://www.syss.de/en/news/responsible-disclosure-policy/ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Credits: Security vulnerability found by Franz G. Jahn and Philipp Buchegger of the SySS GmbH. E-Mail: franz.jahn (at) syss.de Public Key: https://www.syss.de/fileadmin/dokumente/Materialien/PGPKeys/Franz_Jahn.asc Key ID: 0xD06A14DE Key Fingerprint: 2D26 E435 DF7F 572D A0C9 1DE8 D5A6 1496 D06A 14DE E-Mail: philipp.buchegger (at) syss.de Public Key: https://www.syss.de/fileadmin/dokumente/Materialien/PGPKeys/Philipp_Buchegger.asc Key ID: 0xBB6747E8 Key Fingerprint: 489F 34EE FA88 27DE 69A0 756B 0658 09F0 BB67 47E8 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclaimer: The information provided in this security advisory is provided "as is" and without warranty of any kind. Details of this security advisory may be updated in order to provide as accurate information as possible. The latest version of this security advisory is available on the SySS Web site. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Copyright: Creative Commons - Attribution (by) - Version 3.0 URL: http://creativecommons.org/licenses/by/3.0/deed.en -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCgAGBQJWPMtZAAoJENWmFJbQahTeeRgP/iajehjdX7TYwPfzo/lQ0sxR YhsmtL1FjzG+4ggO4l1Ggn9vCP4mMRCbNoURjusMh8Ruz4NmIlQOhDTxmpHadknt z6ageAy3jhDQJo0eI2HHqV1YLuXZWjjUDVBHH0bMYlxLfO0WFZluD1KslS+4rg5D 7Uk2xlPASAGGWMSfvx18UGvHT6Vxl2L3rAWRsDPfjhhJ4A7MjGGsWj1sX7RcO9h4 F65pIQC/KxjQB+H3SSz0eZG6zwuYda6lAFQdP0LZhtvXg2TWzmm31tzS3ja1Lnqq 0xjHi0ql8I+E2KmrnGlnMtVngXSUbdwq3onlCjZcO0ndwaXu44bAMFceQtBIWUnk nDnsAtIuiVyqE6Fqxlu+DaBrjEi45k+8WIMS1iGz35a4SsFFb5NoDFauOWCAGjVE 0tuREtCz8ExiguufZYSyd/c9p7fnbd4iKik9TaTye0W9gV/q6Uie6DTLjGJn6LMU crIQmXMeaFZW1QaCLtjbkOdt97/uzAC8E+57QUmk+AUCMe4IzewB3Zk/RzOHA46Z Iv6KeMBq7IPsUWWx/MohTgMlRvCYaDYN8guja6ARtLiowrYxg97usK1PXHSsYlzE QlbGSdhZUEfu1U7Efgvrq3bYgY9PRyu+YBKd5Pb6QDMffcGVaiaUa/BW/4Ax35Jt JXYiaHfjgcqE0Wxs3Mwr =e+Ul -----END PGP SIGNATURE-----