Security Advisory regarding TIBCO Managed File Transfer

Security Advisory regarding TIBCO Managed File Transfer

book

Article ID: KB0108036

calendar_today

Updated On:

Products Versions
TIBCO Managed File Transfer Command Center 8.2.1 and below

Description

Description

The affected component has a reflected XSS vulnerability such that an attacker could craft a URL that will execute arbitrary commands on the affected system.  If the attacker convinces an authenticated user to enter or click on the URL the commands will be executed on the affected system.

Impact

The impact of this vulnerability includes the possibility that an attacker can gain access to the session ID of the affected user's session and take any action the affected user has privilege to perform.

Environment

Systems Affected TIBCO Managed File Transfer Command Center versions 8.2.1 and below TIBCO Managed File Transfer Internet Server versions 8.2.1 and below

Resolution

The workaround for this issue is to update the httpparamchecking.xml file:

cd <MFT-Install>/server/webapps/cfcc/WEB-INF
copy httpparamchecking.xml httpparamchecking.xml.orig
edit httpparamchecking.xml

Make the following two changes:
1.  Change lines 63-168 (Approx) Add  "|%7C" 
: Here is a generic change command you can execute. 
        change "#60;|%3C)" to "#60;|%3C|%7C)"
 
2.  Add the following line after line 62 ( <!-- Checking javascript eventhandler, <... EventHandler=... -->)
<regexvalue>(?s).*(&lt;|&quot;|&apos;|&#38;lt;|&#38;#x3C;|&#38;#60;|%3C|%7C).*alert.*</regexvalue>
 
3.  Restart the MFT Server.

Repeat this procedure for all Command Center and Internet Server instances.

Issue/Introduction

Security Advisory regarding TIBCO Managed File Transfer Reflected XSS