A significant security flaw has emerged in the login pages of Citrix ShareFile, a widely used file-sharing and collaboration platform. The vulnerability has been identified by Tenable as a reflected cross-site scripting (XSS) attack, potentially granting malicious actors the ability to pilfer login credentials, tokens, execute code in a victim's browser context, and carry out a range of detrimental actions.
If exploited, the reflected cross-site scripting vulnerability could have allowed a malicious actor to steal login credentials, tokens, execute code in the context of a victim's browser, or perform a variety of other malicious actions.
Of concern, Citrix has opted not to disclose this security issue after it was patched to its customers or to the general public. According to Tenable Research, "Despite the potential impact of the vulnerability, Citrix has elected not to publish information regarding this issue or provide notice to customers after they patched the issue. Customers are entirely beholden to the cloud providers to fix reported issues, forced to blindly trust that proper care has gone into effectively remediating any vulnerabilities. This lack of transparency is a disservice to their customers and leaves them in the dark about their exposure to risk before patches were issued. The practice of silent patching by cloud service providers hinders risk assessment and creates new challenges for security teams to understand the risks of their cloud environments. While a patch was issued, potentially affected customers may be unaware that any nefarious activity took place.
With ransomware groups like CL0P targeting file transfer applications including Fortra’s GoAnywhere managed file transfer (MFT) and Progress Software’s MOVEit Transfer MFT software, securing these solutions and identifying potential avenues for exploitation are critical to the success of staying a step ahead of opportunistic attackers."
The susceptibility stems from a flaw within the processing of the login page request, leading to unsafe insertion of request parameters into the "oAuthViewModel" variable. This is particularly concerning as visiting any of the ShareFile login pages could trigger this vulnerability, exposing users to possible attacks. These pages include commonly used URLs such as:
https://<ShareFile Customer Prefix>.sharefile.com/Authentication/Login
https://<ShareFile Customer Prefix>.sharefile.com/Authentication/StartLogin
https://<ShareFile Customer Prefix>.sharefile.com/login
https://<ShareFile Customer Prefix>.sharefile.com/oauth/authorize
The repercussions of this vulnerability are far-reaching, potentially allowing attackers to manipulate parameters in the redirected URL and inject unsafe elements into the page. As a result, cross-site scripting, HTML injection, redirection, and other nefarious actions become possible. A critical aspect of the vulnerability is the premature closure of the "<script>" tag containing the "oAuthViewModel," which enables attackers to further inject malicious code.
To illustrate the severity of the issue, a proof of concept showcases how a user can be redirected to a seemingly innocuous website, like "https://tenable.com," thereby exposing them to potential phishing attacks. Citrix acknowledges the issue and has implemented a server-side fix to mitigate the risk.
The disclosure timeline illustrates Tenable's proactive approach in notifying Citrix about the vulnerability.
It's imperative that users and organizations take this vulnerability seriously and follow the recommended steps to safeguard their systems and data. The incident serves as a reminder of the importance of timely and transparent communication about security vulnerabilities to ensure the safety of users' information.
###