Biscom, a secure document delivery provider, recently patched a serious vulnerability in its secure file transfer product that could have allowed an authenticated hacker access to data shared between other users.
Privately alerted in April by Rapid7 (a Biscom customer), the company released an updated version of its product on May 3.
The issue, a stored cross-site scripting vulnerability, was found in the Name and Description field of the Workspaces component of the secure file transfer product. Researcher Orlando Barrera found the problem in late March. In a disclosure published today, Barrera described how an attacker would need to be authenticated to the product and have the ability to create a Workspace in order to exploit the vulnerability.
“When you use it and have an account, you can set up a Workspace and share that with a support rep, for example. Because it’s a cross-site scripting bug, you can use that to spy on other Workspaces that already have a relationship with that contact,” said Tod Beardsley, Rapid7 principal security research manager.
Biscom’s secure file transfer product is an on-premises product, deployed on local networks. An attacker, once authenticated, would need to lure the victim to their malicious Workspace to carry out the cross-site scripting attack. In this case, two fields in question in a Workspace accept malicious Javascript as an input and execute, allowing an attacker to access data transfers on the victim’s behalf. Version 5.1.1015 was affected by this vulnerability, which was patched in the version 5.1.1025 update.
“Cross-site scripting with an on-premises box means a lot,” Beardsley said. “You can not only break the whole model of file permissions they have, but own the victim’s browser.”
Beardsley said the product was not properly sanitizing input in those two fields, despite filtering for cross-site scripting elsewhere. Given the on-premises nature of the product and the necessity for an existing relationship in order to carry out this particular attack, the scope is somewhat knocked down. But the existing relationship does presume some level of trust that might make it simpler to lure victims.
“It boils down to how people use it,” Beardsley said. “There will be an implicit trust because you have to have that relationship.”
Biscom’s website claims that more than one million use its services among 4,000 companies. Some companies listed on the website as customers include Philips, Massachusetts General Hospital and Safety Insurance.